org.springframework.http.HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, httpServletRequest.getHeader(HttpHeaders.ORIGIN));
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "Origin, X-Requested-With, Content-Type, Accept");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET, POST, PUT, DELETE, OPTIONS");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "3600");
    if (!CorsUtils.isPreFlightRequest(httpServletRequest)) {
        chain.doFilter(httpServletRequest, httpServletResponse);
    }
}

@Test
public void credentialsCanBeAllowed() throws Exception {
    TestPropertyValues.of("management.endpoints.web.cors.allowed-origins:foo.example.com", "management.endpoints.web.cors.allow-credentials:true").applyTo(this.context);
    performAcceptedCorsRequest().andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"));
}

@Test
public void credentialsCanBeDisabled() throws Exception {
    TestPropertyValues.of("management.endpoints.web.cors.allowed-origins:foo.example.com", "management.endpoints.web.cors.allow-credentials:false").applyTo(this.context);
    performAcceptedCorsRequest().andExpect(header().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}

@Test
public void credentialsCanBeAllowed() {
    TestPropertyValues.of("management.endpoints.web.cors.allowed-origins:spring.example.org", "management.endpoints.web.cors.allow-credentials:true").applyTo(this.context);
    performAcceptedCorsRequest("/actuator/beans").expectHeader().valueEquals(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
}

@Test
public void credentialsCanBeDisabled() {
    TestPropertyValues.of("management.endpoints.web.cors.allowed-origins:spring.example.org", "management.endpoints.web.cors.allow-credentials:false").applyTo(this.context);
    performAcceptedCorsRequest("/actuator/beans").expectHeader().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS);
}

// private final String ALLOW_HEADERS = "X-Token" + ", " + HttpHeaders.CONTENT_TYPE;
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, httpServletRequest.getHeader(HttpHeaders.ORIGIN));
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "*");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET, POST, PUT, PATCH, DELETE, OPTIONS");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "3600");
    if (!CorsUtils.isPreFlightRequest(httpServletRequest)) {
        chain.doFilter(request, response);
    }
}

/**
 * 配置跨域
 *
 * @param req
 * @param res
 * @param chain
 * @throws IOException
 * @throws ServletException
 */
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    String originHeader = request.getHeader(HttpHeaders.ORIGIN);
    // 如果不需要跨域直接放行
    if (ToolUtils.isBlank(originHeader)) {
        chain.doFilter(req, res);
        return;
    }
    boolean isAllow = false;
    // 当前地址是否在允许的地址中
    for (String origin : CORS_FILTER_ORIGINS) {
        // 如果*,所有请求都允许
        if ("*".equals(origin)) {
            isAllow = true;
            break;
        }
        if (0 == originHeader.indexOf(origin)) {
            isAllow = true;
            break;
        }
    }
    // 是否允许
    if (!isAllow) {
        // 如果域名不存在，返回403拒绝访问
        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
        response.getWriter().print(JSON.toJSONString(ResultUtils.errorRole("access denied;拒绝访问")));
        return;
    }
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "POST,GET,PUT,OPTIONS,DELETE");
    response.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "3600");
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "Accept,Content-Type,Origin," + GlobalConfig.TOKEN);
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    chain.doFilter(req, res);
}

@Test
public void actualRequestWithCorsConfigurationSource() throws Exception {
    this.handlerMapping.setCorsConfigurationSource(new CustomCorsConfigurationSource());
    String origin = "https://domain2.com";
    ServerWebExchange exchange = createExchange(HttpMethod.GET, "/welcome.html", origin);
    Object actual = this.handlerMapping.getHandler(exchange).block();
    replacedertNotNull(actual);
    replacedertSame(this.welcomeController, actual);
    replacedertEquals("https://domain2.com", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("true", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}

@Test
public void preFlightRequestWithCorsConfigurationSource() throws Exception {
    this.handlerMapping.setCorsConfigurationSource(new CustomCorsConfigurationSource());
    String origin = "https://domain2.com";
    ServerWebExchange exchange = createExchange(HttpMethod.OPTIONS, "/welcome.html", origin);
    Object actual = this.handlerMapping.getHandler(exchange).block();
    replacedertNotNull(actual);
    replacedertNotSame(this.welcomeController, actual);
    replacedertEquals("https://domain2.com", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("true", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}

@Test
public void actualRequestCredentials() throws Exception {
    ServerWebExchange exchange = actualRequest();
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("https://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertNull(response.getStatusCode());
}

@Test
public void preflightRequestCredentials() throws Exception {
    ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET").header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("https://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertNull(response.getStatusCode());
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    ServerWebExchange exchange = actualRequest();
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("https://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertNull(response.getStatusCode());
}

public void process(HttpServletRequest request, HttpServletResponse response) {
    String value = request.getHeader("Origin");
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, StringUtils.isBlank(value) ? "*" : value);
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    value = request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
    if (StringUtils.isNotBlank(value)) {
        response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, value);
    }
    value = request.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD);
    response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, StringUtils.isBlank(value) ? "GET,POST,OPTIONS,PUT,DELETE" : value);
}

@Test
public void preFlightRequestWithCorsConfigurationSource() throws Exception {
    this.handlerMapping.setCorsConfigurationSource(new CustomCorsConfigurationSource());
    String origin = "https://domain2.com";
    ServerWebExchange exchange = createExchange(HttpMethod.OPTIONS, "/welcome.html", origin);
    Object actual = this.handlerMapping.getHandler(exchange).block();
    replacedertThat(actual).isNotNull();
    replacedertThat(actual).isNotSameAs(this.welcomeController);
    replacedertThat(exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
}

@Test
public void actualRequestWithCorsConfigurationSource() throws Exception {
    this.handlerMapping.setCorsConfigurationSource(new CustomCorsConfigurationSource());
    String origin = "https://domain2.com";
    ServerWebExchange exchange = createExchange(HttpMethod.GET, "/welcome.html", origin);
    Object actual = this.handlerMapping.getHandler(exchange).block();
    replacedertThat(actual).isNotNull();
    replacedertThat(actual).isSameAs(this.welcomeController);
    replacedertThat(exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
}

@Test
public void actualRequestCredentials() throws Exception {
    ServerWebExchange exchange = actualRequest();
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.example");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertThat(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
    replacedertThat(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isTrue();
    replacedertThat(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
    replacedertThat(response.getHeaders().get(VARY)).contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS);
    replacedertThat((Object) response.getStatusCode()).isNull();
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    ServerWebExchange exchange = actualRequest();
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertThat(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
    replacedertThat(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isTrue();
    replacedertThat(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
    replacedertThat(response.getHeaders().get(VARY)).contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS);
    replacedertThat((Object) response.getStatusCode()).isNull();
}

@Test
public void preflightRequestCredentials() throws Exception {
    ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET").header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.example");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertThat(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
    replacedertThat(response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isTrue();
    replacedertThat(response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
    replacedertThat(response.getHeaders().get(VARY)).contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS);
    replacedertThat((Object) response.getStatusCode()).isNull();
}

@Test
public void preFlightRequestWithCorsConfigurationSource() throws Exception {
    this.handlerMapping.setCorsConfigurationSource(new CustomCorsConfigurationSource());
    String origin = "http://domain2.com";
    ServerWebExchange exchange = createExchange(HttpMethod.OPTIONS, "/welcome.html", origin);
    Object actual = this.handlerMapping.getHandler(exchange).block();
    replacedertNotNull(actual);
    replacedertNotSame(this.welcomeController, actual);
    replacedertEquals("http://domain2.com", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("true", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}

@Test
public void actualRequestWithCorsConfigurationSource() throws Exception {
    this.handlerMapping.setCorsConfigurationSource(new CustomCorsConfigurationSource());
    String origin = "http://domain2.com";
    ServerWebExchange exchange = createExchange(HttpMethod.GET, "/welcome.html", origin);
    Object actual = this.handlerMapping.getHandler(exchange).block();
    replacedertNotNull(actual);
    replacedertSame(this.welcomeController, actual);
    replacedertEquals("http://domain2.com", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("true", exchange.getResponse().getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}

@Test
public void preflightRequestCredentials() throws Exception {
    ServerWebExchange exchange = MockServerWebExchange.from(preFlightRequest().header(ACCESS_CONTROL_REQUEST_METHOD, "GET").header(ACCESS_CONTROL_REQUEST_HEADERS, "Header1"));
    this.conf.addAllowedOrigin("http://domain1.com");
    this.conf.addAllowedOrigin("http://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertNull(response.getStatusCode());
}

@Test
public void actualRequestCredentials() throws Exception {
    ServerWebExchange exchange = actualRequest();
    this.conf.addAllowedOrigin("http://domain1.com");
    this.conf.addAllowedOrigin("http://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertNull(response.getStatusCode());
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    ServerWebExchange exchange = actualRequest();
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.process(this.conf, exchange);
    ServerHttpResponse response = exchange.getResponse();
    replacedertTrue(response.getHeaders().containsKey(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", response.getHeaders().getFirst(ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(response.getHeaders().containsKey(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeaders().getFirst(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(response.getHeaders().get(VARY), contains(ORIGIN, ACCESS_CONTROL_REQUEST_METHOD, ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertNull(response.getStatusCode());
}

@Test
public void preflightRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.OPTIONS.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
    this.conf.addAllowedOrigin("http://domain1.com");
    this.conf.addAllowedOrigin("http://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, request, response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals(HttpServletResponse.SC_OK, response.getStatus());
}

@Test
public void actualRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
    this.conf.addAllowedOrigin("http://domain1.com");
    this.conf.addAllowedOrigin("http://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, request, response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals(HttpServletResponse.SC_OK, response.getStatus());
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, request, response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals(HttpServletResponse.SC_OK, response.getStatus());
}

@Test
void testCorsFilterOnApiPath() throws Exception {
    props.getCors().setAllowedOrigins(Collections.singletonList("*"));
    props.getCors().setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE"));
    props.getCors().setAllowedHeaders(Collections.singletonList("*"));
    props.getCors().setMaxAge(1800L);
    props.getCors().setAllowCredentials(true);
    MockMvc mockMvc = MockMvcBuilders.standaloneSetup(new WebConfigurerTestController()).addFilters(webConfigurer.corsFilter()).build();
    mockMvc.perform(options("/api/test-cors").header(HttpHeaders.ORIGIN, "other.domain.com").header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "POST")).andExpect(status().isOk()).andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "other.domain.com")).andExpect(header().string(HttpHeaders.VARY, "Origin")).andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,POST,PUT,DELETE")).andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")).andExpect(header().string(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "1800"));
    mockMvc.perform(get("/api/test-cors").header(HttpHeaders.ORIGIN, "other.domain.com")).andExpect(status().isOk()).andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "other.domain.com"));
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    HttpServletResponse httpServletResponse = (HttpServletResponse) response;
    // Set customized header
    String originHeaderValue = httpServletRequest.getHeader(HttpHeaders.ORIGIN);
    if (StringUtils.isNotBlank(originHeaderValue)) {
        httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, originHeaderValue);
    }
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, ALLOW_HEADERS);
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET, POST, PUT, DELETE, OPTIONS");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "3600");
    if (!CorsUtils.isPreFlightRequest(httpServletRequest)) {
        chain.doFilter(httpServletRequest, httpServletResponse);
    }
}

@Override
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception {
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    httpResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, ((HttpServletRequest) request).getHeader("origin"));
    httpResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS,TRACE");
    String accessControlRequestHeaders = httpServletRequest.getHeader("Access-Control-Request-Headers");
    if (!StringUtils.isEmpty(accessControlRequestHeaders)) {
        httpResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, accessControlRequestHeaders);
    }
    httpResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    if (RequestMethod.OPTIONS.name().equals(WebUtils.toHttp(request).getMethod())) {
        httpResponse.setStatus(HttpStatus.OK.value());
        return false;
    }
    return super.preHandle(request, response);
}

@Test
public void actualRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("https://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

@Test
public void preflightRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.OPTIONS.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("https://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("https://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    // TODO - Determine how to force SSL. Depends on frontend load balancer config.
    String origin = request.getHeader("Origin");
    if (!isEmpty(origin)) {
        response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
        response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "POST, GET, OPTIONS, PUT, DELETE");
        response.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "Accept, Content-Type, Content-Length, Cookie, Accept-Encoding, X-CSRF-Token, Authorization");
    }
    // Stop here if its Preflighted OPTIONS request
    if ("OPTIONS".equals(request.getMethod())) {
        return;
    }
    if (!envConfig.isDebug()) {
        // Check if secure
        boolean isSecure = request.isSecure();
        if (!isSecure) {
            // Check if frontend proxy proxied it
            if ("https".equals(request.getHeader("X-Forwarded-Proto"))) {
                isSecure = true;
            }
        }
        // If not secure, then redirect
        if (!isSecure) {
            log.info("Insecure quest in uat&prod environment, redirect to https");
            try {
                URI redirectUrl = new URI("https", request.getServerName(), request.getRequestURI(), null);
                response.sendRedirect(redirectUrl.toString());
            } catch (URISyntaxException e) {
                log.error("fail to build redirect url", e);
            }
            return;
        }
        // HSTS - force SSL
        response.setHeader("Strict-Transport-Security", "max-age=315360000; includeSubDomains; preload");
        // No iFrames
        response.setHeader("X-Frame-Options", "DENY");
        // Cross-site scripting protection
        response.setHeader("X-XSS-Protection", "1; mode=block");
    }
    filterChain.doFilter(request, response);
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
    replacedertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isTrue();
    replacedertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY)).contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
    replacedertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}

@Test
public void preflightRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.OPTIONS.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.example");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
    replacedertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isTrue();
    replacedertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY)).contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
    replacedertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}

@Test
public void actualRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "https://domain2.com");
    this.conf.addAllowedOrigin("https://domain1.com");
    this.conf.addAllowedOrigin("https://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.example");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isTrue();
    replacedertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isEqualTo("https://domain2.com");
    replacedertThat(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isTrue();
    replacedertThat(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY)).contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
    replacedertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}

@Override
public Mono<Void> filter(ServerWebExchange serverWebExchange, GatewayFilterChain chain) {
    ServerHttpRequest request = serverWebExchange.getRequest();
    ServerHttpResponse response = serverWebExchange.getResponse();
    HttpHeaders headers = response.getHeaders();
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "POST, GET, PUT, OPTIONS, DELETE, PATCH");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "*");
    headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, ALL);
    headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
    if (request.getMethod() == HttpMethod.OPTIONS) {
        response.setStatusCode(HttpStatus.OK);
        return Mono.empty();
    }
    return chain.filter(serverWebExchange);
}

@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
    ServerHttpRequest request = exchange.getRequest();
    ServerHttpResponse response = exchange.getResponse();
    HttpHeaders headers = response.getHeaders();
    logger.info("处理跨域开始");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, "*");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "POST, GET, PUT, OPTIONS, DELETE, PATCH");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "*");
    headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, ALL);
    headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
    if (request.getMethod() == HttpMethod.OPTIONS) {
        logger.info("处理options");
        response.setStatusCode(HttpStatus.NO_CONTENT);
        return Mono.empty();
    }
    logger.info("处理跨域完成");
    return chain.filter(exchange);
}

@Test
public void actualRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
    this.conf.addAllowedOrigin("http://domain1.com");
    this.conf.addAllowedOrigin("http://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

@Test
public void preflightRequestCredentials() throws Exception {
    this.request.setMethod(HttpMethod.OPTIONS.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
    this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1");
    this.conf.addAllowedOrigin("http://domain1.com");
    this.conf.addAllowedOrigin("http://domain2.com");
    this.conf.addAllowedOrigin("http://domain3.com");
    this.conf.addAllowedHeader("Header1");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

@Test
public void actualRequestCredentialsWithOriginWildcard() throws Exception {
    this.request.setMethod(HttpMethod.GET.name());
    this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com");
    this.conf.addAllowedOrigin("*");
    this.conf.setAllowCredentials(true);
    this.processor.processRequest(this.conf, this.request, this.response);
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
    replacedertEquals(HttpServletResponse.SC_OK, this.response.getStatus());
}

@Bean
public WebFilter corsFilter() {
    return (ServerWebExchange ctx, WebFilterChain chain) -> {
        ServerHttpRequest request = ctx.getRequest();
        if (!CorsUtils.isCorsRequest(request)) {
            return chain.filter(ctx);
        }
        HttpHeaders requestHeaders = request.getHeaders();
        ServerHttpResponse response = ctx.getResponse();
        HttpMethod requestMethod = requestHeaders.getAccessControlRequestMethod();
        HttpHeaders headers = response.getHeaders();
        headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, requestHeaders.getOrigin());
        headers.addAll(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, requestHeaders.getAccessControlRequestHeaders());
        if (requestMethod != null) {
            headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, requestMethod.name());
        }
        headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, ALL);
        headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
        if (request.getMethod() == HttpMethod.OPTIONS) {
            response.setStatusCode(HttpStatus.OK);
            return Mono.empty();
        }
        return chain.filter(ctx);
    };
}

@Bean
public WebFilter corsFilter() {
    return (ServerWebExchange ctx, WebFilterChain chain) -> {
        ServerHttpRequest request = ctx.getRequest();
        if (!CorsUtils.isCorsRequest(request))
            return chain.filter(ctx);
        HttpHeaders requestHeaders = request.getHeaders();
        ServerHttpResponse response = ctx.getResponse();
        HttpMethod requestMethod = requestHeaders.getAccessControlRequestMethod();
        HttpHeaders headers = response.getHeaders();
        headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, requestHeaders.getOrigin());
        headers.addAll(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, requestHeaders.getAccessControlRequestHeaders());
        if (requestMethod != null)
            headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, requestMethod.name());
        headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, ALL);
        headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
        if (request.getMethod() == HttpMethod.OPTIONS) {
            response.setStatusCode(HttpStatus.OK);
            return Mono.empty();
        }
        return chain.filter(ctx);
    };
}

@Test
public void handleTransportRequestXhr() throws Exception {
    String sockJsPath = sessionUrlPrefix + "xhr";
    setRequest("POST", sockJsPrefix + sockJsPath);
    this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
    replacedertEquals(200, this.servletResponse.getStatus());
    verify(this.xhrHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
    verify(taskScheduler).scheduleAtFixedRate(any(Runnable.clreplaced), eq(service.getDisconnectDelay()));
    replacedertEquals("no-store, no-cache, must-revalidate, max-age=0", this.response.getHeaders().getCacheControl());
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
}

@Bean
public WebFilter corsFilter() {
    return (ServerWebExchange ctx, WebFilterChain chain) -> {
        ServerHttpRequest request = ctx.getRequest();
        if (CorsUtils.isCorsRequest(request)) {
            HttpHeaders requestHeaders = request.getHeaders();
            ServerHttpResponse response = ctx.getResponse();
            HttpHeaders headers = response.getHeaders();
            headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, ALLOWED_ORIGIN);
            headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, ALLOWED_HEADERS);
            headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
            headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, ALLOWED_Expose);
            headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
            headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, ALLOWED_METHODS);
            if (request.getMethod() == HttpMethod.OPTIONS) {
                response.setStatusCode(HttpStatus.OK);
                return Mono.empty();
            }
        }
        return chain.filter(ctx);
    };
}

@Test
public void handleInfoGet() throws IOException {
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
    String header = this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL);
    replacedertEquals("no-store, no-cache, must-revalidate, max-age=0", header);
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
    String body = this.servletResponse.getContentreplacedtring();
    replacedertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
    replacedertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}", body.substring(body.indexOf(',')));
    this.service.setSessionCookieNeeded(false);
    this.service.setWebSocketEnabled(false);
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    body = this.servletResponse.getContentreplacedtring();
    replacedertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}", body.substring(body.indexOf(',')));
    this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.com"));
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
}

@Test
public void handleTransportRequestXhr() throws Exception {
    String sockJsPath = sessionUrlPrefix + "xhr";
    setRequest("POST", sockJsPrefix + sockJsPath);
    this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
    replacedertThat(this.servletResponse.getStatus()).isEqualTo(200);
    verify(this.xhrHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
    verify(taskScheduler).scheduleAtFixedRate(any(Runnable.clreplaced), eq(service.getDisconnectDelay()));
    replacedertThat(this.response.getHeaders().getCacheControl()).isEqualTo("no-store, no-cache, must-revalidate, max-age=0");
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isNull();
}

@Test
public void handleInfoGet() throws IOException {
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
    String header = this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL);
    replacedertEquals("no-store, no-cache, must-revalidate, max-age=0", header);
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
    String body = this.servletResponse.getContentreplacedtring();
    replacedertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
    replacedertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}", body.substring(body.indexOf(',')));
    this.service.setSessionCookieNeeded(false);
    this.service.setWebSocketEnabled(false);
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    body = this.servletResponse.getContentreplacedtring();
    replacedertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}", body.substring(body.indexOf(',')));
    this.service.setAllowedOrigins(Collections.singletonList("http://mydomain1.com"));
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
}

@Test
public void handleInfoGet() throws Exception {
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertEquals("application/json;charset=UTF-8", this.servletResponse.getContentType());
    replacedertEquals("no-store, no-cache, must-revalidate, max-age=0", this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
    String body = this.servletResponse.getContentreplacedtring();
    replacedertEquals("{\"entropy\"", body.substring(0, body.indexOf(':')));
    replacedertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}", body.substring(body.indexOf(',')));
    this.service.setSessionCookieNeeded(false);
    this.service.setWebSocketEnabled(false);
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    body = this.servletResponse.getContentreplacedtring();
    replacedertEquals(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}", body.substring(body.indexOf(',')));
    this.service.setAllowedOrigins(Arrays.asList("http://mydomain1.com"));
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
    replacedertNull(this.servletResponse.getHeader(HttpHeaders.VARY));
}

@Test
public void handleInfoGet() throws IOException {
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertThat(this.servletResponse.getContentType()).isEqualTo("application/json;charset=UTF-8");
    String header = this.servletResponse.getHeader(HttpHeaders.CACHE_CONTROL);
    replacedertThat(header).isEqualTo("no-store, no-cache, must-revalidate, max-age=0");
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isNull();
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.VARY)).isNull();
    String body = this.servletResponse.getContentreplacedtring();
    replacedertThat(body.substring(0, body.indexOf(':'))).isEqualTo("{\"entropy\"");
    replacedertThat(body.substring(body.indexOf(','))).isEqualTo(",\"origins\":[\"*:*\"],\"cookie_needed\":true,\"websocket\":true}");
    this.service.setSessionCookieNeeded(false);
    this.service.setWebSocketEnabled(false);
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    body = this.servletResponse.getContentreplacedtring();
    replacedertThat(body.substring(body.indexOf(','))).isEqualTo(",\"origins\":[\"*:*\"],\"cookie_needed\":false,\"websocket\":false}");
    this.service.setAllowedOrigins(Collections.singletonList("https://mydomain1.example"));
    resetResponseAndHandleRequest("GET", "/echo/info", HttpStatus.OK);
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)).isNull();
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)).isNull();
    replacedertThat(this.servletResponse.getHeader(HttpHeaders.VARY)).isNull();
}

See More Examples