[
https://issues.apache.org/jira/browse/CXF-8190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17012586#comment-17012586
]
Markus Rathgeb commented on CXF-8190:
-------------------------------------
I realized now that there is a property
({{replace.loopback.address.with.localhost}}) that can perhaps be used to
prevent the replacement:
[https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L421-L424]
Can you tell me how I set this contextual property in an OSGi environment, then
I will check if this already solves it for me.
But I still wonder why it is "true" by default?
I don't think the host should be changed if not explicitly stated.
> UriBuilder / HttpUtils replaces 127.0.0.1 by localhost
> ------------------------------------------------------
>
> Key: CXF-8190
> URL: https://issues.apache.org/jira/browse/CXF-8190
> Project: CXF
> Issue Type: Bug
> Reporter: Markus Rathgeb
> Priority: Major
>
> If you access a locally running REST endpoint in the brower using the IP
> address 127.0.0.1 and the REST endpoint implementation is using the UriInfo
> to build a new URL by the URI builder (e.g. a created resource), the reply
> will not use the host as accessed (127.0.0.1) but replaces the host by
> "localhost".
> If the web application then tries to access the location, the browsers will
> block that request because of a cross origin access.
>
> Assume a very simple REST endpoint:
> {code:java}
> @Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE)
> @JaxrsResource
> public class Resource {
> @POST
> @Path("create")
> @Produces(MediaType.APPLICATION_JSON)
> public Object createTest(@Context final UriInfo uriInfo) {
> final URI uri =
> uriInfo.getBaseUriBuilder().path("foo").path("bar").build();
> return Response.created(uri).build();
> }
> }{code}
> If I call the post method of that endpoint using the URL
> "[http://localhost:8080/create]"; I get a created location that looks like
> "[http://localhost:8080/foo/bar]";.
> All fine.
> {noformat}
> $ curl -v -X POST http://localhost:8080/create
> * Trying ::1:8080...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 8080 (#0)
> > POST /create HTTP/1.1
> > Host: localhost:8080
> > User-Agent: curl/7.67.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 201 Created
> < Date: Tue, 10 Dec 2019 17:41:47 GMT
> < Location: http://localhost:8080/foo/bar
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact{noformat}
> But, I would expect if I access the endpoint using the IP instead of the
> hostname "[http://127.0.0.1:8080/create]"; the created response's location
> should look like "[http://127.0.0.1:8080/foo/bar]";.
> But that is not the case...
> The response provides "[http://localhost:8080/foo/bar]";
> {noformat}
> curl -v -X POST http://127.0.0.1:8080/create
> * Trying 127.0.0.1:8080...
> * TCP_NODELAY set
> * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> > POST /create HTTP/1.1
> > Host: 127.0.0.1:8080
> > User-Agent: curl/7.67.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 201 Created
> < Date: Tue, 10 Dec 2019 17:44:00 GMT
> < Location: http://localhost:8080/foo/bar
> < Content-Length: 0
> <
> * Connection #0 to host 127.0.0.1 left intact{noformat}
> If the website that is accessed using 127.0.0.1 provides a location using
> localhost and that one is used by the browser, the browser fails because of
> CORS.
>
> I already looked at the sources who is causing the change from 127.0.0.1 to
> localhost and found it:
> After the line
> [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83]
> has been executed the variable u looks like [http://127.0.0.1:8080/]
> After that "toAbsoluteUri" of HttpUtils is called.
> That's the part of the code that replaces 127.0.0.1 by localhost
> [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391]
> The commit that added that part of code is
> [https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314]
> The git commit referenced the wrong Jira (2007) - it should have been
> https://issues.apache.org/jira/browse/CXF-5007
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
