Markus Rathgeb created CXF-8190:
-----------------------------------
Summary: UriBuilder / HttpUtils replace 127.0.0.1 by localhost
Key: CXF-8190
URL: https://issues.apache.org/jira/browse/CXF-8190
Project: CXF
Issue Type: Bug
Reporter: Markus Rathgeb
If you access a locally running REST endpoint in the brower using the IP
address 127.0.0.1 and the REST endpoint implementation is using the UriInfo to
build a new URL by the URI builder (e.g. a created resource), the reply will
not use the host as accessed (127.0.0.1) but replaces the host by "localhost".
If the web application then tries to access the location, the browsers will
block that request because of a cross origin access.
Assume a very simple REST endpoint:
{code:java}
@Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE)
@JaxrsResource
public class Resource {
@POST
@Path("create")
@Produces(MediaType.APPLICATION_JSON)
public Object createTest(@Context final UriInfo uriInfo) {
final URI uri =
uriInfo.getBaseUriBuilder().path("foo").path("bar").build();
return Response.created(uri).build();
}
}{code}
If I call the post method of that endpoint using the URL
"[http://localhost:8080/create]"; I get a created location that looks
like "[http://localhost:8080/foo/bar]";.
All fine.
{noformat}
$ curl -v -X POST http://localhost:8080/create
* Trying ::1:8080...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> POST /create HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 10 Dec 2019 17:41:47 GMT
< Location: http://localhost:8080/foo/bar
< Content-Length: 0
<
* Connection #0 to host localhost left intact{noformat}
But, I would expect if I access the endpoint using the IP instead of
the hostname "[http://127.0.0.1:8080/create]"; the created response's
location should look like "[http://127.0.0.1:8080/foo/bar]";.
But that is not the case...
The response provides "[http://localhost:8080/foo/bar]";
{noformat}
curl -v -X POST http://127.0.0.1:8080/create
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /create HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 10 Dec 2019 17:44:00 GMT
< Location: http://localhost:8080/foo/bar
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact{noformat}
If the website that is accessed using 127.0.0.1 provides a location
using localhost and that one is used by the browser, the browser fails
because of CORS.
I already looked at the sources who is causing the change from 127.0.0.1 to
localhost and found it:
After the line
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83]
has been executed the variable u looks like
[http://127.0.0.1:8080/]
After that "toAbsoluteUri" of HttpUtils is called.
That's the part of the code that replaces 127.0.0.1 by localhost
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391]
The commit that added that part of code is
[https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314]
The git commit referenced the wrong Jira (2007) - it should have been
https://issues.apache.org/jira/browse/CXF-5007
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
