[
https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491846#comment-13491846
]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
OK, that explains it.
Please try CORS filter and see how it works for you (list it before OAuth one).
IMHO using the filter may be a better option, it is expected to be CORS spec
compliant, can be configured to manage preflights and is more effective in the
case of OPTIONS. At the moment, what happens after the OAuth filter passes
OPTIONS through, the runtime will try to find the resource method supporting
OPTIONS, and because it is not there, it will attempt to build "Allow" headers
from the internal info, and will return, and in fact this 'Allow' won't be of
use because Access-Control-Allow-Methods is expected instead.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to
> the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return
> null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb
> request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests
> should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
