I am using CXF 3.1.5 for my RESTful services and want to enable CORS only
for configued origins; to do that I have implemented options() method with
the required annotations -
in my interface,
@OPTIONS
@Path("/")
@LocalPreflight
public Response options();
in my implementation,
@Override
public Response options() {
if (!isCORSEnabled()) {
return Response.ok("Cross Origin Resource Sharing is not
allowed!").build();
}
String origin = headers.getRequestHeader("Origin").get(0);
if(getAllowedrOrigins().contains(origin)) {
return Response.ok()
.header(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, "GET POST DELETE
PUT")
.header(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, "false")
.header(CorsHeaderConstants.HEADER_AC_ALLOW_ORIGIN, origin)
.build();
} else {
return Response.ok("Cross Origin Resource Sharing is not
allowed!").build();
}
}
my REST service is defined this way: in my interface (same one where I have
options() defined)-
@GET
@Path("/login")
@Produces(MediaType.TEXT_PLAIN)
public Response login();
in my implementation (same class where I have options() implemented)
@Override
public Response login() {
return Response.ok().build();
}
my REST endpoint is running at "/auth" and I have got CORS filter set in my
blueprint.
<bean id="corsFilter"
class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/>
<jaxrs:server address="/auth" id="auth">
<jaxrs:invoker>
<bean class="com.tst.web.interceptor.WebSecurityInvoker">
</bean>
</jaxrs:invoker>
<jaxrs:serviceBeans>
<ref component-id="loginServiceImpl"/>
</jaxrs:serviceBeans>
<jaxrs:outInterceptors>
<bean class="com.tst.web.interceptor.WebSecurityOutInterceptor">
</bean>
</jaxrs:outInterceptors>
<jaxrs:providers>
<ref component-id="corsFilter" />
</jaxrs:providers>
</jaxrs:server>
I hoped, I have got things in a right way but for some reasons, my
options() method is not getting called; I did some debugging through the
CORs filter, found that this filter tries to find the preflight method with
the path '/login' instead of '/'; I think, somewhere I messed up the
configuration. I have spent two days without any success; any help will be
appreciated.
Here is my client code:
$jquery.ajax({
method: 'GET',
url: site.endpoint + 'auth/login',
beforeSend: function (xhr){
xhr.setRequestHeader('Authorization',authz);
xhr.setRequestHeader('Access-Control-Allow-Origin',
'http://localhost:8000');
xhr.setRequestHeader('Access-Control-Expose-Headers', 'token');
},
success: function(data, status, xhr) {
pauth.token = xhr.getResponseHeader("token");
success();
},
error: function(xhr, status, errorThrown) {
if(xhr.status == '403') {
fail("Invalid Username or password. Please try again.");
} else if (xhr.status == '500') {
fail("Internal Server Error: Please try again after sometime.");
} else{
console.log("Status: " + xhr.status);
console.log("Error Thrown :" + errorThrown);
fail("Unknown error: Please contact System Administrator");
}
console.log(JSON.parse(XMLHttpRequest.responseText));
},
timeout: 30000
});
return token;
}
