This is an automated email from the ASF dual-hosted git repository. grv pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
commit 510239a5f2ac8458de7f31cd4f5ea0a10e2da8f7 Author: Girish Vasmatkar <[email protected]> AuthorDate: Tue Apr 6 11:16:52 2021 +0530 Improved: Added CORS filter for the rest-api (OFBIZ-12220). Thanks Alexander Gepting for the contribution. --- .../apache/ofbiz/ws/rs/security/auth/APICorsFilter.java | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java b/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java index 958da7a..1348f3b 100644 --- a/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java +++ b/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java @@ -44,26 +44,26 @@ import org.apache.ofbiz.base.util.UtilValidate; public class APICorsFilter implements ContainerResponseFilter { // check security.properties file for 'host-headers-allowed' - private static final List<String> allowedHostHeaders = UtilMisc.getHostHeadersAllowed(); + private static final List<String> ALLOWED_HOST_HEADERS = UtilMisc.getHostHeadersAllowed(); @Override public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException { MultivaluedMap<String, Object> responseHeaders = responseContext.getHeaders(); - if (UtilValidate.isNotEmpty(allowedHostHeaders)) { + if (UtilValidate.isNotEmpty(ALLOWED_HOST_HEADERS)) { // the list is quite short, hence return the single entry without further checks - if (allowedHostHeaders.size() < 2) { - responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, allowedHostHeaders.get(0)); + if (ALLOWED_HOST_HEADERS.size() < 2) { + responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, ALLOWED_HOST_HEADERS.get(0)); } else { // get the request origin from request context and localize it in the list String origin = requestContext.getHeaderString(CorsFilter.REQUEST_HEADER_ORIGIN); // return the origin in case it's part of the allowed hosts list - if (UtilValidate.isNotEmpty(origin) && allowedHostHeaders.contains(origin)) { + if (UtilValidate.isNotEmpty(origin) && ALLOWED_HOST_HEADERS.contains(origin)) { responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, origin); } else { // pick up the first one from the allowed hosts list in case the request origin is not listed there - responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, allowedHostHeaders.get(0)); + responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, ALLOWED_HOST_HEADERS.get(0)); } } } @@ -72,10 +72,7 @@ public class APICorsFilter implements ContainerResponseFilter { responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, true); // publish supported request header field names - responseHeaders.addAll(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, - HttpHeaders.CONTENT_TYPE, - HttpHeaders.AUTHORIZATION - ); + responseHeaders.addAll(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, HttpHeaders.CONTENT_TYPE, HttpHeaders.AUTHORIZATION); // inform about all the supported methods. Itemize these due to the lack of support for the wildcard (*) // in few browsers, e.g. in 'Safari' resp. 'FF for Android'
