Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use SpEL expression to inject an array into @CrossOrigin's value attribute #24982

Closed
Ikki-Dai opened this issue Apr 27, 2020 · 5 comments
Closed

Cannot use SpEL expression to inject an array into @CrossOrigin's value attribute #24982

Ikki-Dai opened this issue Apr 27, 2020 · 5 comments
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: superseded An issue that has been superseded by another

Comments

@Ikki-Dai
Copy link

Ikki-Dai commented Apr 27, 2020
edited
Loading

Affects: \5.2.2

we usually inject an array use comma like this:

key=A,B,C
@Value("${key}")
String[] keys;

but can't inject an array like below

origin=http://domainA.com,http://domainB.com

only key have one element, below SpEL can work fine, if key have more than 2 elements, it won't work

@CrossOrigin(value = "${origin}")

Or

@CrossOrigin(value = "#{'${origin}'.split(',')}")

Can provide any advice?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Apr 27, 2020
@sbrannen sbrannen added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Apr 27, 2020
@sbrannen sbrannen self-assigned this Apr 27, 2020
@sbrannen
Copy link
Member

sbrannen commented Apr 28, 2020
edited
Loading

Yes, it is possible to inject an array into a field or constructor/method argument using @Value, but it is not possible to use a SpEL expression that evaluates to an array in a single String supplied to @CrossOrigin.

The reason for the latter is that each individual String configured via @CrossOrigin(value = { ... }) is processed as follows for Spring MVC (the same holds true for WebFlux).

spring-framework/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java

Lines 463 to 471 in 0a9c768

private String resolveCorsAnnotationValue(String value) {
if (this.embeddedValueResolver != null) {
String resolved = this.embeddedValueResolver.resolveStringValue(value);
return (resolved != null ? resolved : "");
}
else {
return value;
}
}

org.springframework.util.StringValueResolver.resolveStringValue(String) resolves the supplied SpEL expression, which in the provided @CrossOrigin(value = "#{'${origin}'.split(',')}") example results in a String[].

The concrete implementation org.springframework.beans.factory.config.EmbeddedValueResolver.resolveStringValue(String) then invokes toString() on that array. Thus, the elements of the array are lost.

Now, if you knew exactly how many elements were in the array -- for example always two -- you could do something like the following.

@CrossOrigin({"#{'${myOrigins}'.split(',')[0]}", "#{'${myOrigins}'.split(',')[1]}"})

But that is obviously not a robust solution.

Similarly, with the @CrossOrigin(value = "${origin}") example, if the origin property contains a comma-separated list of URLs, the property does not get automatically split, and the entire string is treated as a single URL which does not achieve the desired goal.

In summary, it is not currently possible to supply a SpEL expression via CrossOrigin.value that evaluates to anything other than a single String representing the URL.

@sbrannen sbrannen changed the title Can use SpEL inject an Array into an Annotation? Cannot use SpEL expression to inject an array into @CrossOrigin's value attribute Apr 28, 2020
@sbrannen sbrannen added for: team-attention and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Apr 28, 2020
@sbrannen sbrannen removed their assignment Jan 18, 2021
@sbrannen sbrannen added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 18, 2021
@rstoyanchev
Copy link
Contributor

As of 5.3 we support origin patterns and I'm wondering if that helps in this case. If not, I think we should be able to treat the input as a "," separated string.

@rstoyanchev rstoyanchev added status: waiting-for-feedback We need additional information before we can continue and removed for: team-attention labels Sep 20, 2021
@Ikki-Dai
Copy link
Author

thanks, will try new version in the future

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Sep 22, 2021
@sbrannen sbrannen mentioned this issue Oct 25, 2021
Closed
@arunsai271
Copy link

I'm facing the same issue that am not able to inject a list of strings into origins parameter of @crossorigin. Can anyone help me how to inject list of allowed hosts from application.properties ?

@sbrannen sbrannen added this to the Triage Queue milestone Feb 3, 2022
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Feb 8, 2022
edited
Loading

I'll close this as superseded by #27606. Any further discussion can go on there.

@rstoyanchev rstoyanchev removed this from the Triage Queue milestone Feb 8, 2022
@rstoyanchev rstoyanchev added status: superseded An issue that has been superseded by another and removed status: waiting-for-triage An issue we've not yet triaged or decided on status: feedback-provided Feedback has been provided labels Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: superseded An issue that has been superseded by another
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support comma-delimited list of origin patterns in @CrossOrigin funky-eyes/spring-framework
5 participants
@sbrannen @rstoyanchev @spring-projects-issues @Ikki-Dai @arunsai271