Polishing

Optimize same origin check when the request is an instance of
ServletServerHttpRequest and when there is no forwarded headers.

This commit also optimizes the getPort methods and ForwardedHeaderFilter
forwarded headers checks.

Issue: SPR-16262

Author: sdeleuze

spring-web/src/main/java/org/springframework/web/cors/reactive/CorsUtils.java

@@ -64,20 +64,19 @@ public static boolean isSameOrigin(ServerHttpRequest request) {
 		UriComponentsBuilder urlBuilder = UriComponentsBuilder.fromHttpRequest(request);
 		UriComponents actualUrl = urlBuilder.build();
 		String actualHost = actualUrl.getHost();
-		int actualPort = getPort(actualUrl);
+		int actualPort = getPort(actualUrl.getScheme(), actualUrl.getPort());
 		Assert.notNull(actualHost, "Actual request host must not be null");
 		Assert.isTrue(actualPort != -1, "Actual request port must not be undefined");
 		UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
-		return (actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl));
+		return (actualHost.equals(originUrl.getHost()) && actualPort == getPort(originUrl.getScheme(), originUrl.getPort()));
 	}
 
-	private static int getPort(UriComponents uri) {
-		int port = uri.getPort();
+	private static int getPort(String scheme, int port) {
 		if (port == -1) {
-			if ("http".equals(uri.getScheme()) || "ws".equals(uri.getScheme())) {
+			if ("http".equals(scheme) || "ws".equals(scheme)) {
 				port = 80;
 			}
-			else if ("https".equals(uri.getScheme()) || "wss".equals(uri.getScheme())) {
+			else if ("https".equals(scheme) || "wss".equals(scheme)) {
 				port = 443;
 			}
 		}

spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java

@@ -118,10 +118,8 @@ public void setRelativeRedirects(boolean relativeRedirects) {
 
 	@Override
 	protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException {
-		Enumeration<String> names = request.getHeaderNames();
-		while (names.hasMoreElements()) {
-			String name = names.nextElement();
-			if (FORWARDED_HEADER_NAMES.contains(name)) {
+		for (String headerName : FORWARDED_HEADER_NAMES) {
+			if (request.getHeader(headerName) != null) {
 				return false;
 			}
 		}

spring-web/src/main/java/org/springframework/web/filter/reactive/ForwardedHeaderFilter.java

@@ -17,16 +17,14 @@
 package org.springframework.web.filter.reactive;
 
 import java.net.URI;
-import java.util.Collections;
-import java.util.Locale;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import reactor.core.publisher.Mono;
 
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.lang.Nullable;
-import org.springframework.util.LinkedCaseInsensitiveMap;
 import org.springframework.web.server.ServerWebExchange;
 import org.springframework.web.server.WebFilter;
 import org.springframework.web.server.WebFilterChain;
@@ -47,8 +45,7 @@
  */
 public class ForwardedHeaderFilter implements WebFilter {
 
-	private static final Set<String> FORWARDED_HEADER_NAMES =
-			Collections.newSetFromMap(new LinkedCaseInsensitiveMap<>(5, Locale.ENGLISH));
+	private static final Set<String> FORWARDED_HEADER_NAMES = new LinkedHashSet<>(5);
 
 	static {
 		FORWARDED_HEADER_NAMES.add("Forwarded");
@@ -104,8 +101,13 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 	}
 
 	private boolean shouldNotFilter(ServerHttpRequest request) {
-		return request.getHeaders().keySet().stream()
-				.noneMatch(FORWARDED_HEADER_NAMES::contains);
+		HttpHeaders headers = request.getHeaders();
+		for (String headerName : FORWARDED_HEADER_NAMES) {
+			if (headers.containsKey(headerName)) {
+				return false;
+			}
+		}
+		return true;
 	}
 
 	@Nullable

spring-web/src/main/java/org/springframework/web/util/WebUtils.java

@@ -20,7 +20,9 @@
 import java.io.FileNotFoundException;
 import java.util.Collection;
 import java.util.Enumeration;
+import java.util.LinkedHashSet;
 import java.util.Map;
+import java.util.Set;
 import java.util.StringTokenizer;
 import java.util.TreeMap;
 import javax.servlet.ServletContext;
@@ -33,6 +35,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.server.ServletServerHttpRequest;
 import org.springframework.lang.Nullable;
@@ -135,6 +138,16 @@ public abstract class WebUtils {
 	/** Key for the mutex session attribute */
 	public static final String SESSION_MUTEX_ATTRIBUTE = WebUtils.class.getName() + ".MUTEX";
 
+	private static final Set<String> FORWARDED_HEADER_NAMES = new LinkedHashSet<>(5);
+
+	static {
+		FORWARDED_HEADER_NAMES.add("Forwarded");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Host");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Port");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Proto");
+		FORWARDED_HEADER_NAMES.add("X-Forwarded-Prefix");
+	}
+
 
 	/**
 	 * Set a system property to the web application root directory.
@@ -693,36 +706,60 @@ else if (CollectionUtils.isEmpty(allowedOrigins)) {
 	 * @since 4.2
 	 */
 	public static boolean isSameOrigin(HttpRequest request) {
-		String origin = request.getHeaders().getOrigin();
+		HttpHeaders headers = request.getHeaders();
+		String origin = headers.getOrigin();
 		if (origin == null) {
 			return true;
 		}
-		UriComponentsBuilder urlBuilder;
+		String scheme;
+		String host;
+		int port;
 		if (request instanceof ServletServerHttpRequest) {
 			// Build more efficiently if we can: we only need scheme, host, port for origin comparison
 			HttpServletRequest servletRequest = ((ServletServerHttpRequest) request).getServletRequest();
-			urlBuilder = new UriComponentsBuilder().
-					scheme(servletRequest.getScheme()).
-					host(servletRequest.getServerName()).
-					port(servletRequest.getServerPort()).
-					adaptFromForwardedHeaders(request.getHeaders());
+			scheme = servletRequest.getScheme();
+			host = servletRequest.getServerName();
+			port = servletRequest.getServerPort();
+
+			if(containsForwardedHeaders(servletRequest)) {
+				UriComponents actualUrl = new UriComponentsBuilder()
+						.scheme(scheme)
+						.host(host)
+						.port(port)
+						.adaptFromForwardedHeaders(headers)
+						.build();
+				scheme = actualUrl.getScheme();
+				host = actualUrl.getHost();
+				port = actualUrl.getPort();
+			}
 		}
 		else {
-			urlBuilder = UriComponentsBuilder.fromHttpRequest(request);
+			UriComponents actualUrl = UriComponentsBuilder.fromHttpRequest(request).build();
+			scheme = actualUrl.getScheme();
+			host = actualUrl.getHost();
+			port = actualUrl.getPort();
 		}
-		UriComponents actualUrl = urlBuilder.build();
+
 		UriComponents originUrl = UriComponentsBuilder.fromOriginHeader(origin).build();
-		return (ObjectUtils.nullSafeEquals(actualUrl.getHost(), originUrl.getHost()) &&
-				getPort(actualUrl) == getPort(originUrl));
+		return (ObjectUtils.nullSafeEquals(host, originUrl.getHost()) &&
+				getPort(scheme, port) == getPort(originUrl.getScheme(), originUrl.getPort()));
+	}
+
+	private static boolean containsForwardedHeaders(HttpServletRequest request) {
+		for (String headerName : FORWARDED_HEADER_NAMES) {
+			if (request.getHeader(headerName) != null) {
+				return true;
+			}
+		}
+		return false;
 	}
 
-	private static int getPort(UriComponents uri) {
-		int port = uri.getPort();
+	private static int getPort(String scheme, int port) {
 		if (port == -1) {
-			if ("http".equals(uri.getScheme()) || "ws".equals(uri.getScheme())) {
+			if ("http".equals(scheme) || "ws".equals(scheme)) {
 				port = 80;
 			}
-			else if ("https".equals(uri.getScheme()) || "wss".equals(uri.getScheme())) {
+			else if ("https".equals(scheme) || "wss".equals(scheme)) {
 				port = 443;
 			}
 		}

spring-web/src/test/java/org/springframework/web/util/WebUtilsTests.java

@@ -168,7 +168,7 @@ private boolean checkValidOrigin(String serverName, int port, String originHeade
 		if (port != -1) {
 			servletRequest.setServerPort(port);
 		}
-		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
+		servletRequest.addHeader(HttpHeaders.ORIGIN, originHeader);
 		return WebUtils.isValidOrigin(request, allowed);
 	}
 
@@ -179,7 +179,7 @@ private boolean checkSameOrigin(String serverName, int port, String originHeader
 		if (port != -1) {
 			servletRequest.setServerPort(port);
 		}
-		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
+		servletRequest.addHeader(HttpHeaders.ORIGIN, originHeader);
 		return WebUtils.isSameOrigin(request);
 	}
 
@@ -191,15 +191,15 @@ private boolean checkSameOriginWithXForwardedHeaders(String serverName, int port
 			servletRequest.setServerPort(port);
 		}
 		if (forwardedProto != null) {
-			request.getHeaders().set("X-Forwarded-Proto", forwardedProto);
+			servletRequest.addHeader("X-Forwarded-Proto", forwardedProto);
 		}
 		if (forwardedHost != null) {
-			request.getHeaders().set("X-Forwarded-Host", forwardedHost);
+			servletRequest.addHeader("X-Forwarded-Host", forwardedHost);
 		}
 		if (forwardedPort != -1) {
-			request.getHeaders().set("X-Forwarded-Port", String.valueOf(forwardedPort));
+			servletRequest.addHeader("X-Forwarded-Port", String.valueOf(forwardedPort));
 		}
-		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
+		servletRequest.addHeader(HttpHeaders.ORIGIN, originHeader);
 		return WebUtils.isSameOrigin(request);
 	}
 
@@ -210,8 +210,8 @@ private boolean checkSameOriginWithForwardedHeader(String serverName, int port,
 		if (port != -1) {
 			servletRequest.setServerPort(port);
 		}
-		request.getHeaders().set("Forwarded", forwardedHeader);
-		request.getHeaders().set(HttpHeaders.ORIGIN, originHeader);
+		servletRequest.addHeader("Forwarded", forwardedHeader);
+		servletRequest.addHeader(HttpHeaders.ORIGIN, originHeader);
 		return WebUtils.isSameOrigin(request);
 	}