Repository: cxf Updated Branches: refs/heads/2.7.x-fixes 292ab8fba -> 235393d64
Using Origin even if allowedAllOrigins is set when allow credentials is enabled Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/235393d6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/235393d6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/235393d6 Branch: refs/heads/2.7.x-fixes Commit: 235393d64083e1c4c02ac8f1961010bd9d82187f Parents: 292ab8f Author: Sergey Beryozkin <[email protected]> Authored: Tue Jun 9 11:43:58 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Jun 9 12:08:19 2015 +0100 ---------------------------------------------------------------------- .../cors/CrossOriginResourceSharingFilter.java | 44 +++++++++----------- .../jaxrs/cors/CrossOriginSimpleTest.java | 30 +++++++++++++ .../jaxrs/cors/UnannotatedCorsServer.java | 15 +++++++ 3 files changed, 65 insertions(+), 24 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/235393d6/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java b/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java index 21cfae8..d624efa 100644 --- a/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java +++ b/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java @@ -113,28 +113,19 @@ public class CrossOriginResourceSharingFilter implements RequestHandler, Respons } private Response simpleRequest(Message m, CrossOriginResourceSharing ann) { - List<String> values = getHeaderValues(CorsHeaderConstants.HEADER_ORIGIN, true); + List<String> headerOriginValues = getHeaderValues(CorsHeaderConstants.HEADER_ORIGIN, true); // 5.1.1 there has to be an origin - if (values == null || values.size() == 0) { + if (headerOriginValues == null || headerOriginValues.size() == 0) { return null; } // 5.1.2 check all the origins - if (!effectiveAllowOrigins(ann, values)) { + if (!effectiveAllowOrigins(ann, headerOriginValues)) { return null; } - String originResponse; - // 5.1.3 credentials lives in the output filter - // in any case - if (effectiveAllowAllOrigins(ann)) { - originResponse = "*"; - } else { - originResponse = concatValues(values, true); - } - // handle 5.1.3 - commonRequestProcessing(m, ann, originResponse); + setAllowOriginAndCredentials(m, ann, headerOriginValues); // 5.1.4 List<String> effectiveExposeHeaders = effectiveExposeHeaders(ann); @@ -230,13 +221,6 @@ public class CrossOriginResourceSharingFilter implements RequestHandler, Respons return createPreflightResponse(m, false); } - // 5.2.7: add allow credentials and allow-origin as required: this lives in the Output filter - String originResponse; - if (effectiveAllowAllOrigins(ann)) { - originResponse = "*"; - } else { - originResponse = origin; - } // 5.2.9 add allow-methods; we pass them from here to the output filter which actually adds them. m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, Arrays.asList(requestMethod)); @@ -249,7 +233,7 @@ public class CrossOriginResourceSharingFilter implements RequestHandler, Respons } // 5.2.7 is in here. - commonRequestProcessing(m, ann, originResponse); + setAllowOriginAndCredentials(m, ann, headerOriginValues); return createPreflightResponse(m, true); } @@ -314,10 +298,22 @@ public class CrossOriginResourceSharingFilter implements RequestHandler, Respons } } - private void commonRequestProcessing(Message m, CrossOriginResourceSharing ann, String origin) { + private void setAllowOriginAndCredentials(Message m, + CrossOriginResourceSharing ann, + List<String> headerOriginValues) { + + boolean allowCreds = effectiveAllowCredentials(ann); + m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, allowCreds); + + String originResponse; + if (!allowCreds && effectiveAllowAllOrigins(ann)) { + originResponse = "*"; + } else { + originResponse = concatValues(headerOriginValues, true); + } + + m.getExchange().put(CorsHeaderConstants.HEADER_ORIGIN, originResponse); - m.getExchange().put(CorsHeaderConstants.HEADER_ORIGIN, origin); - m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, effectiveAllowCredentials(ann)); } public Response handleResponse(Message m, OperationResourceInfo ori, Response response) { http://git-wip-us.apache.org/repos/asf/cxf/blob/235393d6/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java ---------------------------------------------------------------------- diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java index 81c9a23..63b4049 100644 --- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java +++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java @@ -19,6 +19,7 @@ package org.apache.cxf.systest.jaxrs.cors; +import java.io.Closeable; import java.io.IOException; import java.util.ArrayList; import java.util.Arrays; @@ -393,6 +394,35 @@ public class CrossOriginSimpleTest extends AbstractBusClientServerTestBase { } @Test + public void testAnnotatedMethodPreflight2() throws Exception { + configureAllowOrigins(true, null); + String r = configClient.replacePath("/setAllowCredentials/false") + .accept("text/plain").post(null, String.class); + assertEquals("ok", r); + HttpClient httpclient = new DefaultHttpClient(); + HttpOptions http = new HttpOptions("http://localhost:"; + PORT + "/untest/annotatedPut2"); + // this is the origin we expect to get. + http.addHeader("Origin", "http://area51.mil:31415";); + http.addHeader(CorsHeaderConstants.HEADER_AC_REQUEST_METHOD, "PUT"); + http.addHeader(CorsHeaderConstants.HEADER_AC_REQUEST_HEADERS, "X-custom-1, x-custom-2"); + HttpResponse response = httpclient.execute(http); + assertEquals(200, response.getStatusLine().getStatusCode()); + assertOriginResponse(false, new String[]{"http://area51.mil:31415"}, true, response); + assertAllowCredentials(response, true); + List<String> exposeHeadersValues + = headerValues(response.getHeaders(CorsHeaderConstants.HEADER_AC_EXPOSE_HEADERS)); + // preflight never returns Expose-Headers + assertEquals(Collections.emptyList(), exposeHeadersValues); + List<String> allowHeadersValues + = headerValues(response.getHeaders(CorsHeaderConstants.HEADER_AC_ALLOW_HEADERS)); + assertEquals(Arrays.asList(new String[] {"X-custom-1", "x-custom-2" }), allowHeadersValues); + if (httpclient instanceof Closeable) { + ((Closeable)httpclient).close(); + } + + } + + @Test public void testAnnotatedClassCorrectOrigin() throws Exception { HttpClient httpclient = new DefaultHttpClient(); HttpGet httpget = new HttpGet("http://localhost:"; + PORT + "/antest/simpleGet/HelloThere"); http://git-wip-us.apache.org/repos/asf/cxf/blob/235393d6/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java ---------------------------------------------------------------------- diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java index 94b4764..102ea1e 100644 --- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java +++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java @@ -77,4 +77,19 @@ public class UnannotatedCorsServer { public String annotatedPut(String input) { return input; } + + @PUT + @Consumes("text/plain") + @Produces("text/plain") + @Path("/annotatedPut2") + @CrossOriginResourceSharing( + allowAllOrigins = true, + allowCredentials = true, + maxAge = 1, + allowHeaders = { "X-custom-1", "X-custom-2" }, + exposeHeaders = {"X-custom-3", "X-custom-4" } + ) + public String annotatedPut2(String input) { + return input; + } }
