This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch CXF-8133 in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 138b3e3a722e8f0f6744901181c7891bb3b3fb73 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Fri Oct 18 14:53:29 2019 +0100 CXF-8133 - Disable JAX-RS HTTP method overriding by default --- .../apache/cxf/jaxrs/impl/RequestPreprocessor.java | 25 +++++++++++++++------- .../cxf/jaxrs/impl/RequestPreprocessorTest.java | 14 ++++++++++++ .../jaxrs/JAXRSClientServerSpringBookTest.java | 23 -------------------- 3 files changed, 31 insertions(+), 31 deletions(-) diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/RequestPreprocessor.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/RequestPreprocessor.java index 3061e8d..6d52c85 100644 --- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/RequestPreprocessor.java +++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/RequestPreprocessor.java @@ -33,9 +33,16 @@ import javax.ws.rs.core.UriInfo; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.utils.HttpUtils; import org.apache.cxf.message.Message; +import org.apache.cxf.message.MessageUtils; public class RequestPreprocessor { + /** + * Whether to allow the client to override the HTTP method via either METHOD_QUERY or METHOD_HEADER. + * The default is false. + */ + private static final String ALLOW_HTTP_METHOD_OVERRIDE = "org.apache.cxf.jaxrs.allow.http.method.override"; + private static final String ACCEPT_QUERY = "_type"; private static final String CTYPE_QUERY = "_ctype"; private static final String METHOD_QUERY = "_method"; @@ -156,15 +163,17 @@ public class RequestPreprocessor { private void handleMethod(Message m, MultivaluedMap<String, String> queries, HttpHeaders headers) { - String method = queries.getFirst(METHOD_QUERY); - if (method == null) { - List<String> list = headers.getRequestHeader(METHOD_HEADER); - if (list != null && list.size() == 1) { - method = list.get(0); + if (MessageUtils.getContextualBoolean(m, ALLOW_HTTP_METHOD_OVERRIDE, false)) { + String method = queries.getFirst(METHOD_QUERY); + if (method == null) { + List<String> list = headers.getRequestHeader(METHOD_HEADER); + if (list != null && list.size() == 1) { + method = list.get(0); + } + } + if (method != null) { + m.put(Message.HTTP_REQUEST_METHOD, method); } - } - if (method != null) { - m.put(Message.HTTP_REQUEST_METHOD, method); } } diff --git a/rt/frontend/jaxrs/src/test/java/org/apache/cxf/jaxrs/impl/RequestPreprocessorTest.java b/rt/frontend/jaxrs/src/test/java/org/apache/cxf/jaxrs/impl/RequestPreprocessorTest.java index 69c073d..3ef3c6c 100644 --- a/rt/frontend/jaxrs/src/test/java/org/apache/cxf/jaxrs/impl/RequestPreprocessorTest.java +++ b/rt/frontend/jaxrs/src/test/java/org/apache/cxf/jaxrs/impl/RequestPreprocessorTest.java @@ -57,6 +57,13 @@ public class RequestPreprocessorTest { public void testMethodQuery() { Message m = mockMessage("http://localhost:8080";, "/bar", "_method=GET", "POST"); RequestPreprocessor sqh = new RequestPreprocessor(); + + // By default it should ignore _method + sqh.preprocess(m, new UriInfoImpl(m, null)); + assertEquals("POST", m.get(Message.HTTP_REQUEST_METHOD)); + + // Now allow HTTP method overriding + m.put("org.apache.cxf.jaxrs.allow.http.method.override", true); sqh.preprocess(m, new UriInfoImpl(m, null)); assertEquals("GET", m.get(Message.HTTP_REQUEST_METHOD)); } @@ -65,6 +72,13 @@ public class RequestPreprocessorTest { public void testMethodOverride() { Message m = mockMessage("http://localhost:8080";, "/bar", "bar", "POST", "GET"); RequestPreprocessor sqh = new RequestPreprocessor(); + + // By default it should ignore the HTTP header + sqh.preprocess(m, new UriInfoImpl(m, null)); + assertEquals("POST", m.get(Message.HTTP_REQUEST_METHOD)); + + // Now allow HTTP method overriding + m.put("org.apache.cxf.jaxrs.allow.http.method.override", true); sqh.preprocess(m, new UriInfoImpl(m, null)); assertEquals("GET", m.get(Message.HTTP_REQUEST_METHOD)); } diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/JAXRSClientServerSpringBookTest.java b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/JAXRSClientServerSpringBookTest.java index c08a6e6..21110ff 100644 --- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/JAXRSClientServerSpringBookTest.java +++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/JAXRSClientServerSpringBookTest.java @@ -768,15 +768,8 @@ public class JAXRSClientServerSpringBookTest extends AbstractBusClientServerTest } private void getBookAegis(String endpointAddress, String type) throws Exception { - getBookAegis(endpointAddress, type, null); - } - - private void getBookAegis(String endpointAddress, String type, String mHeader) throws Exception { WebClient client = WebClient.create(endpointAddress, Collections.singletonList(new AegisElementProvider<Object>())); - if (mHeader != null) { - client = client.header("X-HTTP-Method-Override", mHeader); - } Book book = client.accept(type).get(Book.class); assertEquals(124L, book.getId()); @@ -843,22 +836,6 @@ public class JAXRSClientServerSpringBookTest extends AbstractBusClientServerTest } @Test - public void testRetrieveBookAegis1() throws Exception { - - String endpointAddress = - "http://localhost:"; + PORT + "/the/thebooks4/bookstore/books/aegis/retrieve?_method=RETRIEVE"; - getBookAegis(endpointAddress, "application/xml"); - } - - @Test - public void testRetrieveBookAegis2() throws Exception { - - String endpointAddress = - "http://localhost:"; + PORT + "/the/thebooks4/bookstore/books/aegis/retrieve"; - getBookAegis(endpointAddress, "application/xml", "RETRIEVE"); - } - - @Test public void testRetrieveGetBookAegis() throws Exception { String endpointAddress =
