[
https://issues.apache.org/jira/browse/CXF-8190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Markus Rathgeb updated CXF-8190:
--------------------------------
Description:
If you access a locally running REST endpoint in the brower using the IP
address 127.0.0.1 and the REST endpoint implementation is using the UriInfo to
build a new URL by the URI builder (e.g. a created resource), the reply will
not use the host as accessed (127.0.0.1) but replaces the host by "localhost".
If the web application then tries to access the location, the browsers will
block that request because of a cross origin access.
Assume a very simple REST endpoint:
{code:java}
@Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE)
@JaxrsResource
public class Resource {
@POST
@Path("create")
@Produces(MediaType.APPLICATION_JSON)
public Object createTest(@Context final UriInfo uriInfo) {
final URI uri =
uriInfo.getBaseUriBuilder().path("foo").path("bar").build();
return Response.created(uri).build();
}
}{code}
If I call the post method of that endpoint using the URL
"[http://localhost:8080/create]"; I get a created location that looks like
"[http://localhost:8080/foo/bar]";.
All fine.
{noformat}
$ curl -v -X POST http://localhost:8080/create
* Trying ::1:8080...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> POST /create HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 10 Dec 2019 17:41:47 GMT
< Location: http://localhost:8080/foo/bar
< Content-Length: 0
<
* Connection #0 to host localhost left intact{noformat}
But, I would expect if I access the endpoint using the IP instead of the
hostname "[http://127.0.0.1:8080/create]"; the created response's location
should look like "[http://127.0.0.1:8080/foo/bar]";.
But that is not the case...
The response provides "[http://localhost:8080/foo/bar]";
{noformat}
curl -v -X POST http://127.0.0.1:8080/create
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /create HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 10 Dec 2019 17:44:00 GMT
< Location: http://localhost:8080/foo/bar
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact{noformat}
If the website that is accessed using 127.0.0.1 provides a location using
localhost and that one is used by the browser, the browser fails because of
CORS.
I already looked at the sources who is causing the change from 127.0.0.1 to
localhost and found it:
After the line
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83]
has been executed the variable u looks like [http://127.0.0.1:8080/]
After that "toAbsoluteUri" of HttpUtils is called.
That's the part of the code that replaces 127.0.0.1 by localhost
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391]
The commit that added that part of code is
[https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314]
The git commit referenced the wrong Jira (2007) - it should have been
https://issues.apache.org/jira/browse/CXF-5007
was:
If you access a locally running REST endpoint in the brower using the IP
address 127.0.0.1 and the REST endpoint implementation is using the UriInfo to
build a new URL by the URI builder (e.g. a created resource), the reply will
not use the host as accessed (127.0.0.1) but replaces the host by "localhost".
If the web application then tries to access the location, the browsers will
block that request because of a cross origin access.
Assume a very simple REST endpoint:
{code:java}
@Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE)
@JaxrsResource
public class Resource {
@POST
@Path("create")
@Produces(MediaType.APPLICATION_JSON)
public Object createTest(@Context final UriInfo uriInfo) {
final URI uri =
uriInfo.getBaseUriBuilder().path("foo").path("bar").build();
return Response.created(uri).build();
}
}{code}
If I call the post method of that endpoint using the URL
"[http://localhost:8080/create]"; I get a created location that looks
like "[http://localhost:8080/foo/bar]";.
All fine.
{noformat}
$ curl -v -X POST http://localhost:8080/create
* Trying ::1:8080...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> POST /create HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 10 Dec 2019 17:41:47 GMT
< Location: http://localhost:8080/foo/bar
< Content-Length: 0
<
* Connection #0 to host localhost left intact{noformat}
But, I would expect if I access the endpoint using the IP instead of
the hostname "[http://127.0.0.1:8080/create]"; the created response's
location should look like "[http://127.0.0.1:8080/foo/bar]";.
But that is not the case...
The response provides "[http://localhost:8080/foo/bar]";
{noformat}
curl -v -X POST http://127.0.0.1:8080/create
* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /create HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 10 Dec 2019 17:44:00 GMT
< Location: http://localhost:8080/foo/bar
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact{noformat}
If the website that is accessed using 127.0.0.1 provides a location
using localhost and that one is used by the browser, the browser fails
because of CORS.
I already looked at the sources who is causing the change from 127.0.0.1 to
localhost and found it:
After the line
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83]
has been executed the variable u looks like
[http://127.0.0.1:8080/]
After that "toAbsoluteUri" of HttpUtils is called.
That's the part of the code that replaces 127.0.0.1 by localhost
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391]
The commit that added that part of code is
[https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314]
The git commit referenced the wrong Jira (2007) - it should have been
https://issues.apache.org/jira/browse/CXF-5007
> UriBuilder / HttpUtils replaces 127.0.0.1 by localhost
> ------------------------------------------------------
>
> Key: CXF-8190
> URL: https://issues.apache.org/jira/browse/CXF-8190
> Project: CXF
> Issue Type: Bug
> Reporter: Markus Rathgeb
> Priority: Major
>
> If you access a locally running REST endpoint in the brower using the IP
> address 127.0.0.1 and the REST endpoint implementation is using the UriInfo
> to build a new URL by the URI builder (e.g. a created resource), the reply
> will not use the host as accessed (127.0.0.1) but replaces the host by
> "localhost".
> If the web application then tries to access the location, the browsers will
> block that request because of a cross origin access.
>
> Assume a very simple REST endpoint:
> {code:java}
> @Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE)
> @JaxrsResource
> public class Resource {
> @POST
> @Path("create")
> @Produces(MediaType.APPLICATION_JSON)
> public Object createTest(@Context final UriInfo uriInfo) {
> final URI uri =
> uriInfo.getBaseUriBuilder().path("foo").path("bar").build();
> return Response.created(uri).build();
> }
> }{code}
> If I call the post method of that endpoint using the URL
> "[http://localhost:8080/create]"; I get a created location that looks like
> "[http://localhost:8080/foo/bar]";.
> All fine.
> {noformat}
> $ curl -v -X POST http://localhost:8080/create
> * Trying ::1:8080...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8080 (#0)
> > POST /create HTTP/1.1
> > Host: localhost:8080
> > User-Agent: curl/7.67.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 201 Created
> < Date: Tue, 10 Dec 2019 17:41:47 GMT
> < Location: http://localhost:8080/foo/bar
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact{noformat}
> But, I would expect if I access the endpoint using the IP instead of the
> hostname "[http://127.0.0.1:8080/create]"; the created response's location
> should look like "[http://127.0.0.1:8080/foo/bar]";.
> But that is not the case...
> The response provides "[http://localhost:8080/foo/bar]";
> {noformat}
> curl -v -X POST http://127.0.0.1:8080/create
> * Trying 127.0.0.1:8080...
> * TCP_NODELAY set
> * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> > POST /create HTTP/1.1
> > Host: 127.0.0.1:8080
> > User-Agent: curl/7.67.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 201 Created
> < Date: Tue, 10 Dec 2019 17:44:00 GMT
> < Location: http://localhost:8080/foo/bar
> < Content-Length: 0
> <
> * Connection #0 to host 127.0.0.1 left intact{noformat}
> If the website that is accessed using 127.0.0.1 provides a location using
> localhost and that one is used by the browser, the browser fails because of
> CORS.
>
> I already looked at the sources who is causing the change from 127.0.0.1 to
> localhost and found it:
> After the line
> [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83]
> has been executed the variable u looks like [http://127.0.0.1:8080/]
> After that "toAbsoluteUri" of HttpUtils is called.
> That's the part of the code that replaces 127.0.0.1 by localhost
> [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391]
> The commit that added that part of code is
> [https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314]
> The git commit referenced the wrong Jira (2007) - it should have been
> https://issues.apache.org/jira/browse/CXF-5007
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
