Refactored joining of allowed headers to be more efficient

core/src/main/java/org/keycloak/util/CollectionUtil.java

@@ -0,0 +1,26 @@
+package org.keycloak.util;
+
+import java.util.Collection;
+import java.util.Iterator;
+
+/**
+ * @author <a href="mailto:jeroen.rosenberg@gmail.com">Jeroen Rosenberg</a>
+ */
+public class CollectionUtil {
+
+    public static String join(Collection<String> strings) {
+        return join(strings, ", ");
+    }
+
+    public static String join(Collection<String> strings, String separator) {
+        Iterator<String> iter = strings.iterator();
+        StringBuilder sb = new StringBuilder();
+        if(iter.hasNext()){
+            sb.append(iter.next());
+            while(iter.hasNext()){
+                sb.append(separator).append(iter.next());
+            }
+        }
+        return sb.toString();
+    }
+}

services/src/main/java/org/keycloak/services/resources/Cors.java

@@ -1,5 +1,7 @@
 package org.keycloak.services.resources;
 
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
@@ -8,6 +10,7 @@ import javax.ws.rs.core.Response.ResponseBuilder;
 
 import org.jboss.resteasy.spi.HttpRequest;
 import org.keycloak.models.ClientModel;
+import org.keycloak.util.CollectionUtil;
 
 /**
  * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@@ -17,7 +20,8 @@ public class Cors {
     public static final long DEFAULT_MAX_AGE = TimeUnit.HOURS.toSeconds(1);
     public static final String DEFAULT_ALLOW_METHODS = "GET, HEAD, OPTIONS";
 
-    public static final String ORIGIN = "Origin";
+    public static final String ORIGIN_HEADER = "Origin";
+    public static final String AUTHORIZATION_HEADER = "Authorization";
 
     public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
     public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
@@ -25,10 +29,11 @@ public class Cors {
     public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
     public static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
 
+
     private HttpRequest request;
     private ResponseBuilder response;
     private Set<String> allowedOrigins;
-    private String[] allowedMethods;
+    private Set<String> allowedMethods;
 
     private boolean preflight;
     private boolean auth;
@@ -60,12 +65,12 @@ public class Cors {
     }
 
     public Cors allowedMethods(String... allowedMethods) {
-        this.allowedMethods = allowedMethods;
+        this.allowedMethods = new HashSet<String>(Arrays.asList(allowedMethods));
         return this;
     }
 
     public Response build() {
-        String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN);
+        String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN_HEADER);
         if (origin == null) {
             return response.build();
         }
@@ -77,21 +82,14 @@ public class Cors {
         response.header(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
 
         if (allowedMethods != null) {
-            StringBuilder sb = new StringBuilder();
+            response.header(ACCESS_CONTROL_ALLOW_METHODS, CollectionUtil.join(allowedMethods));
-            for (int i = 0; i < allowedMethods.length; i++) {
-                if (i > 0) {
-                    sb.append(", ");
-                }
-                sb.append(allowedMethods[i]);
-            }
-            response.header(ACCESS_CONTROL_ALLOW_METHODS, sb.toString());
         } else {
             response.header(ACCESS_CONTROL_ALLOW_METHODS, DEFAULT_ALLOW_METHODS);
         }
 
         response.header(ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.toString(auth));
         if (auth) {
-            response.header(ACCESS_CONTROL_ALLOW_HEADERS, "Authorization");
+            response.header(ACCESS_CONTROL_ALLOW_HEADERS, AUTHORIZATION_HEADER);
         }
 
         response.header(ACCESS_CONTROL_MAX_AGE, DEFAULT_MAX_AGE);