[ https://issues.apache.org/jira/browse/CXF-8190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17016164#comment-17016164 ]
Colm O hEigeartaigh commented on CXF-8190: ------------------------------------------ [~reta] - If [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L421-L424] defaults to false, do any of the TCK tests break? > UriBuilder / HttpUtils replaces 127.0.0.1 by localhost > ------------------------------------------------------ > > Key: CXF-8190 > URL: https://issues.apache.org/jira/browse/CXF-8190 > Project: CXF > Issue Type: Bug > Reporter: Markus Rathgeb > Priority: Major > > If you access a locally running REST endpoint in the brower using the IP > address 127.0.0.1 and the REST endpoint implementation is using the UriInfo > to build a new URL by the URI builder (e.g. a created resource), the reply > will not use the host as accessed (127.0.0.1) but replaces the host by > "localhost". > If the web application then tries to access the location, the browsers will > block that request because of a cross origin access. > > Assume a very simple REST endpoint: > {code:java} > @Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE) > @JaxrsResource > public class Resource { > @POST > @Path("create") > @Produces(MediaType.APPLICATION_JSON) > public Object createTest(@Context final UriInfo uriInfo) { > final URI uri = > uriInfo.getBaseUriBuilder().path("foo").path("bar").build(); > return Response.created(uri).build(); > } > }{code} > If I call the post method of that endpoint using the URL > "[http://localhost:8080/create]" I get a created location that looks like > "[http://localhost:8080/foo/bar]". > All fine. > {noformat} > $ curl -v -X POST http://localhost:8080/create > * Trying ::1:8080... > * TCP_NODELAY set > * Connected to localhost (::1) port 8080 (#0) > > POST /create HTTP/1.1 > > Host: localhost:8080 > > User-Agent: curl/7.67.0 > > Accept: */* > > > * Mark bundle as not supporting multiuse > < HTTP/1.1 201 Created > < Date: Tue, 10 Dec 2019 17:41:47 GMT > < Location: http://localhost:8080/foo/bar > < Content-Length: 0 > < > * Connection #0 to host localhost left intact{noformat} > But, I would expect if I access the endpoint using the IP instead of the > hostname "[http://127.0.0.1:8080/create]" the created response's location > should look like "[http://127.0.0.1:8080/foo/bar]". > But that is not the case... > The response provides "[http://localhost:8080/foo/bar]" > {noformat} > curl -v -X POST http://127.0.0.1:8080/create > * Trying 127.0.0.1:8080... > * TCP_NODELAY set > * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > > POST /create HTTP/1.1 > > Host: 127.0.0.1:8080 > > User-Agent: curl/7.67.0 > > Accept: */* > > > * Mark bundle as not supporting multiuse > < HTTP/1.1 201 Created > < Date: Tue, 10 Dec 2019 17:44:00 GMT > < Location: http://localhost:8080/foo/bar > < Content-Length: 0 > < > * Connection #0 to host 127.0.0.1 left intact{noformat} > If the website that is accessed using 127.0.0.1 provides a location using > localhost and that one is used by the browser, the browser fails because of > CORS. > > I already looked at the sources who is causing the change from 127.0.0.1 to > localhost and found it: > After the line > [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83] > has been executed the variable u looks like [http://127.0.0.1:8080/] > After that "toAbsoluteUri" of HttpUtils is called. > That's the part of the code that replaces 127.0.0.1 by localhost > [https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391] > The commit that added that part of code is > [https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314] > The git commit referenced the wrong Jira (2007) - it should have been > https://issues.apache.org/jira/browse/CXF-5007 > -- This message was sent by Atlassian Jira (v8.3.4#803005)