Support comma-delimited list of origin patterns in @CrossOrigin

spring-beans/src/main/java/org/springframework/beans/factory/config/EmbeddedValueResolver.java

@@ -16,6 +16,8 @@
 
 package org.springframework.beans.factory.config;
 
+import java.util.Arrays;
+
 import org.springframework.lang.Nullable;
 import org.springframework.util.StringValueResolver;
 
@@ -29,6 +31,7 @@
  * with no scope specified for any contextual objects to access.
  *
  * @author Juergen Hoeller
+ * @author Chen Jianbin
  * @since 4.3
  * @see ConfigurableBeanFactory#resolveEmbeddedValue(String)
  * @see ConfigurableBeanFactory#getBeanExpressionResolver()
@@ -54,7 +57,15 @@ public String resolveStringValue(String strVal) {
 		String value = this.exprContext.getBeanFactory().resolveEmbeddedValue(strVal);
 		if (this.exprResolver != null && value != null) {
 			Object evaluated = this.exprResolver.evaluate(value, this.exprContext);
-			value = (evaluated != null ? evaluated.toString() : null);
+			if (evaluated != null) {
+				if (evaluated instanceof String[]) {
+					String str = Arrays.toString((String[])evaluated);
+					value = str.substring(1, str.length() - 1);
+				}
+				else {
+					value = evaluated.toString();
+				}
+			}
 		}
 		return value;
 	}

spring-context/src/main/java/org/springframework/context/EmbeddedValueResolverAware.java

@@ -16,6 +16,9 @@
 
 package org.springframework.context;
 
+import java.util.Arrays;
+import java.util.Set;
+
 import org.springframework.beans.factory.Aware;
 import org.springframework.util.StringValueResolver;
 
@@ -28,6 +31,7 @@
  *
  * @author Juergen Hoeller
  * @author Chris Beams
+ * @author Jianbin Chen
  * @since 3.0.3
  * @see org.springframework.beans.factory.config.ConfigurableBeanFactory#resolveEmbeddedValue(String)
  * @see org.springframework.beans.factory.config.ConfigurableBeanFactory#getBeanExpressionResolver()
@@ -40,4 +44,36 @@ public interface EmbeddedValueResolverAware extends Aware {
 	 */
 	void setEmbeddedValueResolver(StringValueResolver resolver);
 
+	/**
+	 * resolve Origin Or Pattern Value.
+	 * @param origin origin
+	 * @param origins origins
+	 */
+	default void resolveOriginOrPatternValue(String origin, Set<String> origins) {
+		int bracketIndex = origin.indexOf("[");
+		int commaIndex = origin.indexOf(",");
+		int lastIndex = origin.lastIndexOf(",");
+		if (lastIndex != commaIndex) {
+			if (bracketIndex < commaIndex) {
+				int index = origin.indexOf("]");
+				origins.add(origin.substring(0, ++index));
+				origin = origin.substring(++index);
+			}
+			else {
+				int index = origin.indexOf(",");
+				String value = origin.substring(0, ++index);
+				origins.add(value.substring(0, value.length() - 1));
+				origin = origin.substring(origin.indexOf(",") + 1);
+			}
+			resolveOriginOrPatternValue(origin, origins);
+		}
+		else {
+			if (bracketIndex == -1) {
+				origins.addAll(Arrays.asList(origin.split(",")));
+			}
+			else {
+				origins.add(origin);
+			}
+		}
+	}
 }

spring-webflux/src/main/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMapping.java

@@ -20,8 +20,10 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Set;
 import java.util.function.Predicate;
 
 import org.springframework.context.EmbeddedValueResolverAware;
@@ -54,6 +56,7 @@
  *
  * @author Rossen Stoyanchev
  * @author Sam Brannen
+ * @author Chen Jianbin
  * @since 5.0
  */
 public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMapping
@@ -313,10 +316,18 @@ private void updateCorsConfig(CorsConfiguration config, @Nullable CrossOrigin an
 			return;
 		}
 		for (String origin : annotation.origins()) {
-			config.addAllowedOrigin(resolveCorsAnnotationValue(origin));
+			Set<String> origins = new HashSet<>();
+			resolveOriginOrPatternValue(resolveCorsAnnotationValue(origin), origins);
+			for (String org : origins) {
+				config.addAllowedOrigin(org);
+			}
 		}
-		for (String patterns : annotation.originPatterns()) {
-			config.addAllowedOriginPattern(resolveCorsAnnotationValue(patterns));
+		for (String pattern : annotation.originPatterns()) {
+			Set<String> patterns = new HashSet<>();
+			resolveOriginOrPatternValue(resolveCorsAnnotationValue(pattern), patterns);
+			for (String pat : patterns) {
+				config.addAllowedOriginPattern(pat);
+			}
 		}
 		for (RequestMethod method : annotation.methods()) {
 			config.addAllowedMethod(method.name());

spring-webflux/src/test/java/org/springframework/web/reactive/result/method/annotation/CrossOriginAnnotationIntegrationTests.java

@@ -50,6 +50,7 @@
  * @author Sebastien Deleuze
  * @author Rossen Stoyanchev
  * @author Sam Brannen
+ * @author Chen Jianbin
  */
 class CrossOriginAnnotationIntegrationTests extends AbstractRequestMappingIntegrationTests {
 
@@ -67,8 +68,8 @@ protected ApplicationContext initApplicationContext() {
 		AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
 		context.register(WebConfig.class);
 		Properties props = new Properties();
-		props.setProperty("myOrigin", "https://site1.com");
-		props.setProperty("myOriginPattern", "https://*.com");
+		props.setProperty("myOrigin", "https://site1.com,https://site2.com");
+		props.setProperty("myOriginPattern", "https://*.com,https://*.cn,https://*.cn:8088,https://*.com:[8089,8088]");
 		context.getEnvironment().getPropertySources().addFirst(new PropertiesPropertySource("ps", props));
 		context.register(PropertySourcesPlaceholderConfigurer.class);
 		context.refresh();
@@ -205,6 +206,12 @@ void customOriginDefinedViaPlaceholder(HttpServer httpServer) throws Exception {
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 		assertThat(entity.getHeaders().getAccessControlAllowOrigin()).isEqualTo("https://site1.com");
 		assertThat(entity.getBody()).isEqualTo("placeholder");
+		HttpHeaders httpHeaders = new HttpHeaders();
+		httpHeaders.setOrigin("https://site2.com");
+		ResponseEntity<String> entity2 = performGet("/origin-placeholder", httpHeaders, String.class);
+		assertThat(entity2.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(entity2.getHeaders().getAccessControlAllowOrigin()).isEqualTo("https://site2.com");
+		assertThat(entity2.getBody()).isEqualTo("placeholder");
 	}
 
 	@ParameterizedHttpServerTest
@@ -225,6 +232,17 @@ void customOriginPatternDefinedViaPlaceholder(HttpServer httpServer) throws Exce
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
 		assertThat(entity.getHeaders().getAccessControlAllowOrigin()).isEqualTo("https://site1.com");
 		assertThat(entity.getBody()).isEqualTo("pattern-placeholder");
+		HttpHeaders httpHeaders = new HttpHeaders();
+		httpHeaders.setOrigin("https://site1.cn");
+		ResponseEntity<String> entity2 = performGet("/origin-pattern-placeholder", httpHeaders, String.class);
+		assertThat(entity2.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(entity2.getHeaders().getAccessControlAllowOrigin()).isEqualTo("https://site1.cn");
+		assertThat(entity2.getBody()).isEqualTo("pattern-placeholder");
+		httpHeaders.setOrigin("https://site1.com:8089");
+		ResponseEntity<String> entity3 = performGet("/origin-pattern-placeholder", httpHeaders, String.class);
+		assertThat(entity3.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(entity3.getHeaders().getAccessControlAllowOrigin()).isEqualTo("https://site1.com:8089");
+		assertThat(entity3.getBody()).isEqualTo("pattern-placeholder");
 	}
 
 	@ParameterizedHttpServerTest

spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java

@@ -20,9 +20,11 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Parameter;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.function.Predicate;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -71,6 +73,7 @@
  * @author Arjen Poutsma
  * @author Rossen Stoyanchev
  * @author Sam Brannen
+ * @author Chen Jianbin
  * @since 3.1
  */
 public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMapping
@@ -473,10 +476,18 @@ private void updateCorsConfig(CorsConfiguration config, @Nullable CrossOrigin an
 			return;
 		}
 		for (String origin : annotation.origins()) {
-			config.addAllowedOrigin(resolveCorsAnnotationValue(origin));
+			Set<String> origins = new HashSet<>();
+			resolveOriginOrPatternValue(resolveCorsAnnotationValue(origin), origins);
+			for (String org : origins) {
+				config.addAllowedOrigin(org);
+			}
 		}
-		for (String patterns : annotation.originPatterns()) {
-			config.addAllowedOriginPattern(resolveCorsAnnotationValue(patterns));
+		for (String pattern : annotation.originPatterns()) {
+			Set<String> patterns = new HashSet<>();
+			resolveOriginOrPatternValue(resolveCorsAnnotationValue(pattern), patterns);
+			for (String pat : patterns) {
+				config.addAllowedOriginPattern(pat);
+			}
 		}
 		for (RequestMethod method : annotation.methods()) {
 			config.addAllowedMethod(method.name());

spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/CrossOriginTests.java

@@ -22,6 +22,7 @@
 import java.lang.annotation.Target;
 import java.lang.reflect.Method;
 import java.util.Collections;
+import java.util.Objects;
 import java.util.Properties;
 import java.util.stream.Stream;
 
@@ -64,15 +65,16 @@
  * @author Sam Brannen
  * @author Nicolas Labrot
  * @author Rossen Stoyanchev
+ * @author Chen Jianbin
  */
 class CrossOriginTests {
 
 	@SuppressWarnings("unused")
 	static Stream<TestRequestMappingInfoHandlerMapping> pathPatternsArguments() {
 		StaticWebApplicationContext wac = new StaticWebApplicationContext();
 		Properties props = new Properties();
-		props.setProperty("myOrigin", "https://example.com");
-		props.setProperty("myDomainPattern", "http://*.example.com");
+		props.setProperty("myOrigin", "https://example.com,https://example.cn");
+		props.setProperty("myDomainPattern", "http://*.example.com,http://*.example.cn");
 		wac.getEnvironment().getPropertySources().addFirst(new PropertiesPropertySource("ps", props));
 		wac.registerSingleton("ppc", PropertySourcesPlaceholderConfigurer.class);
 		wac.refresh();
@@ -194,7 +196,8 @@ void customOriginDefinedViaPlaceholder(TestRequestMappingInfoHandlerMapping mapp
 		HandlerExecutionChain chain = mapping.getHandler(request);
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertThat(config).isNotNull();
-		assertThat(config.getAllowedOrigins()).isEqualTo(Collections.singletonList("https://example.com"));
+		assertThat(Objects.requireNonNull(config.getAllowedOrigins()).size()).isEqualTo(2);
+		assertThat(config.getAllowedOrigins().contains("https://example.com"));
 		assertThat(config.getAllowCredentials()).isNull();
 	}
 
@@ -218,7 +221,20 @@ public void customOriginPatternViaPlaceholder(TestRequestMappingInfoHandlerMappi
 		CorsConfiguration config = getCorsConfiguration(chain, false);
 		assertThat(config).isNotNull();
 		assertThat(config.getAllowedOrigins()).isNull();
-		assertThat(config.getAllowedOriginPatterns()).isEqualTo(Collections.singletonList("http://*.example.com"));
+		assertThat(config.getAllowedOriginPatterns().size()).isEqualTo(2);
+		assertThat(config.getAllowedOriginPatterns().contains("http://*.example.com")).isTrue();
+		assertThat(config.getAllowCredentials()).isNull();
+	}
+
+	@PathPatternsParameterizedTest
+	public void customMultiOriginPatternViaPlaceholder(TestRequestMappingInfoHandlerMapping mapping) throws Exception {
+		mapping.registerHandler(new MethodLevelController());
+		this.request.setRequestURI("/customMultiOriginPatternPlaceholder");
+		HandlerExecutionChain chain = mapping.getHandler(request);
+		CorsConfiguration config = getCorsConfiguration(chain, false);
+		assertThat(config).isNotNull();
+		assertThat(config.getAllowedOrigins()).isNull();
+		assertThat(config.getAllowedOriginPatterns().size()).isEqualTo(4);
 		assertThat(config.getAllowCredentials()).isNull();
 	}
 
@@ -477,8 +493,16 @@ public void customOriginPatternDefinedViaValueAttribute() {
 		@RequestMapping("/customOriginPatternPlaceholder")
 		public void customOriginPatternDefinedViaPlaceholder() {
 		}
-	}
 
+		@CrossOrigin(
+			originPatterns = {
+				"http://*.example.net,http://*.example.com:[8088,8089]",
+				"#{'${myDomainPattern}'.split(',')}"
+			})
+		@RequestMapping("/customMultiOriginPatternPlaceholder")
+		public void customMultiOriginPatternDefinedViaPlaceholder() {
+		}
+	}
 
 	@Controller
 	@SuppressWarnings("unused")