cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1300535 - in /cxf/branches/2.5.x-fixes: ./ rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/ systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/
Date Wed, 14 Mar 2012 13:16:10 GMT
Author: sergeyb
Date: Wed Mar 14 13:16:09 2012
New Revision: 1300535

URL: http://svn.apache.org/viewvc?rev=1300535&view=rev
Log:
Merged revisions 1299900,1300084,1300509,1300523 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1299900 | sergeyb | 2012-03-12 22:10:07 +0000 (Mon, 12 Mar 2012) | 1 line
  
  [CXF-4167] Making sure some of the cors properties can be customized if they are not set
on the annotation
........
  r1300084 | sergeyb | 2012-03-13 11:51:51 +0000 (Tue, 13 Mar 2012) | 1 line
  
  [CXF-4167] Also removing a couple of redundant annotation properties
........
  r1300509 | sergeyb | 2012-03-14 11:23:58 +0000 (Wed, 14 Mar 2012) | 1 line
  
  [CXF-4167] restoring allowAllOrigins for a moment
........
  r1300523 | sergeyb | 2012-03-14 12:33:09 +0000 (Wed, 14 Mar 2012) | 1 line
  
  [CXF-4167] Fixing the test and moving the localPreflight property into its own annotation
........

Added:
    cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/LocalPreflight.java
      - copied unchanged from r1300523, cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/LocalPreflight.java
Modified:
    cxf/branches/2.5.x-fixes/   (props changed)
    cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java
    cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
    cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java
    cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java
    cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml

Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Mar 14 13:16:09 2012
@@ -1 +1 @@
-/cxf/trunk:1236902,1297296,1298470,1298601-1298624,1298830,1298832,1299086,1299635,1299682,1299707,1299747,1300342,1300530
+/cxf/trunk:1236902,1297296,1298470,1298601-1298624,1298830,1298832,1299086,1299635,1299682,1299707,1299747,1299900-1300084,1300342,1300509,1300523,1300530

Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java
Wed Mar 14 13:16:09 2012
@@ -44,28 +44,25 @@ import java.lang.annotation.Target;
 @Inherited
 public @interface CrossOriginResourceSharing {
     /**
-     * If true, this resource will return
+     * If true, this resource will return 
      * <pre>Access-Control-Allow-Origin: *</pre>
-     * for a valid request.
+     * for a valid request 
      */
     boolean allowAllOrigins() default false;
     /**
-     * A list of permitted origins. This is ignored 
-     * if {@link #allowAllOrigins()} is true.
+     * A list of permitted origins. It is ignored if
+     * {@link #allowAllOrigins()} returns true
      */
     String[] allowOrigins() default { };
     /**
      * A list of headers that the client may include
-     * in an actual request.
+     * in an actual request. All the headers listed in 
+     * the Access-Control-Request-Headers will be allowed if
+     * the list is empty
      */
     String[] allowHeaders() default { };
     
     /**
-     * Act as if whatever headers are listed in the Access-Control-Request-Headers are 
-     * listed in allowHeaders. Convenient for dealing with Browser bugs. 
-     */
-    boolean allowAnyHeaders() default false;
-    /**
      * If true, this resource will return 
      * <pre>Access-Control-Allow-Credentials: true</pre>
      */
@@ -81,14 +78,4 @@ public @interface CrossOriginResourceSha
      * value is -1.
      */
     int maxAge() default -1;
-    /**
-     * Controls the implementation of preflight processing 
-     * on an OPTIONS method.
-     * If the current method is OPTIONS, and this method wants to 
-     * handle the preflight process for itself, set this value to 
-     * <tt>true</tt>. In the default, false, case, the filter
-     * performs preflight processing.
-     */
-    boolean localPreflight() default false;
-    
 }

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
Wed Mar 14 13:16:09 2012
@@ -19,6 +19,7 @@
 
 package org.apache.cxf.rs.security.cors;
 
+import java.lang.annotation.Annotation;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -78,40 +79,28 @@ public class CrossOriginResourceSharingF
      */
     private List<String> allowOrigins = Collections.emptyList();
     private List<String> allowHeaders = Collections.emptyList();
-    private boolean allowAllOrigins;
     private boolean allowCredentials;
     private List<String> exposeHeaders = Collections.emptyList();
     private Integer maxAge;
     private Integer preflightFailStatus = 200;
     private boolean defaultOptionsMethodsHandlePreflight;
-    private boolean allowAnyHeaders;
     
     
-    private CrossOriginResourceSharing getAnnotation(OperationResourceInfo ori) {
+    private <T extends Annotation> T  getAnnotation(OperationResourceInfo ori,
+                                                    Class<T> annClass) {
         if (ori == null) {
             return null;
         }
-        return ReflectionUtil.getAnnotationForMethodOrContainingClass(ori.getAnnotatedMethod(),
-                                                                      CrossOriginResourceSharing.class);
+        return ReflectionUtil.getAnnotationForMethodOrContainingClass(
+             ori.getAnnotatedMethod(),  annClass);
     }
 
     public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
         OperationResourceInfo opResInfo = m.getExchange().get(OperationResourceInfo.class);
-        /*
-         * If there is an actual method annotated with @OPTIONS, this is the annotation (if
any) from it.
-         * The lookup falls back to it.
-         */
-        CrossOriginResourceSharing annotation = getAnnotation(opResInfo);
-        /*
-         * If we don't have an annotation on the target method or an @OPTION method, perhaps
-         * we've got one on the class?
-         */
-        if (annotation == null) {
-            annotation = resourceClass.getServiceClass().getAnnotation(CrossOriginResourceSharing.class);
-        }
-
+        CrossOriginResourceSharing annotation = 
+            getAnnotation(opResInfo, CrossOriginResourceSharing.class);
+        
         if ("OPTIONS".equals(m.get(Message.HTTP_REQUEST_METHOD))) {
-          
             return preflightRequest(m, annotation, opResInfo, resourceClass);
         }
         return simpleRequest(m, annotation);
@@ -125,7 +114,7 @@ public class CrossOriginResourceSharingF
         }
         
         // 5.1.2 check all the origins
-        if (!effectiveAllowAllOrigins(ann) && !effectiveAllowOrigins(ann).containsAll(values))
{
+        if (!effectiveAllowOrigins(ann, values)) {
             return null;
         }
         
@@ -167,7 +156,7 @@ public class CrossOriginResourceSharingF
      * @return
      */
     //CHECKSTYLE:OFF
-    private Response preflightRequest(Message m, CrossOriginResourceSharing optionAnn,
+    private Response preflightRequest(Message m, CrossOriginResourceSharing corsAnn,
                                       OperationResourceInfo opResInfo, ClassResourceInfo
resourceClass) {
 
         /*
@@ -176,8 +165,9 @@ public class CrossOriginResourceSharingF
          * has one of our annotations on it (or its parent class) indicating 'localPreflight'
--
          * or the defaultOptionsMethodsHandlePreflight flag is true.
          */
-        if (opResInfo != null && ((optionAnn == null && defaultOptionsMethodsHandlePreflight)

-            || (optionAnn != null && optionAnn.localPreflight()))) {
+        LocalPreflight preflightAnnotation = 
+            getAnnotation(opResInfo, LocalPreflight.class);
+        if (preflightAnnotation != null || defaultOptionsMethodsHandlePreflight) { 
             return null; // let the resource method take all responsibility.
         }
         
@@ -208,15 +198,14 @@ public class CrossOriginResourceSharingF
             return null;
         }
         CrossOriginResourceSharing ann = method.getAnnotation(CrossOriginResourceSharing.class);
-        ann = ann == null ? optionAnn : ann;
+        ann = ann == null ? corsAnn : ann;
         
         /* We aren't required to have any annotation at all. If no annotation,
          * the properties of this filter make all the decisions.
          */
 
         // 5.2.2 must be on the list or we must be matching *.
-        boolean effectiveAllowAllOrigins = effectiveAllowAllOrigins(ann);
-        if (!effectiveAllowAllOrigins && !effectiveAllowOrigins(ann).contains(origin))
{
+        if (!effectiveAllowOrigins(ann, Collections.singletonList(origin))) {
             return createPreflightResponse(m, false);
         }
 
@@ -227,7 +216,7 @@ public class CrossOriginResourceSharingF
         // This was indirectly enforced by getCorsMethod()
 
         // 5.2.6 reject if the header is not listed.
-        if (!effectiveAllowAnyHeaders(ann) && !effectiveAllowHeaders(ann).containsAll(requestHeaders))
{
+        if (!effectiveAllowHeaders(ann, requestHeaders)) {
             return createPreflightResponse(m, false);
         }
 
@@ -372,7 +361,7 @@ public class CrossOriginResourceSharingF
         if (ann != null) {
             return ann.allowAllOrigins();
         } else {
-            return allowAllOrigins;
+            return allowOrigins.isEmpty();
         }
     }
 
@@ -384,45 +373,53 @@ public class CrossOriginResourceSharingF
         }
     }
 
-    private List<String> effectiveAllowOrigins(CrossOriginResourceSharing ann) {
+    private boolean effectiveAllowOrigins(CrossOriginResourceSharing ann, List<String>
origins) {
+        if (effectiveAllowAllOrigins(ann)) {
+            return true;
+        }
+        List<String> actualOrigins = Collections.emptyList(); 
         if (ann != null) {
-            if (ann.allowOrigins() == null) {
-                return Collections.emptyList();
-            }
-            return Arrays.asList(ann.allowOrigins());
-        } else {
-            return allowOrigins;
+            actualOrigins = Arrays.asList(ann.allowOrigins());
+        } 
+        
+        if (actualOrigins.isEmpty()) {
+            actualOrigins = allowOrigins;
         }
+        
+        return actualOrigins.containsAll(origins);
     }
     
     private boolean effectiveAllowAnyHeaders(CrossOriginResourceSharing ann) {
         if (ann != null) {
-            return ann.allowAnyHeaders();
+            return ann.allowHeaders().length == 0;
         } else {
-            return allowAnyHeaders;
+            return allowHeaders.isEmpty();
         }
     }
     
-    private List<String> effectiveAllowHeaders(CrossOriginResourceSharing ann) {
+    private boolean effectiveAllowHeaders(CrossOriginResourceSharing ann, List<String>
aHeaders) {
+        if (effectiveAllowAnyHeaders(ann)) {
+            return true;
+        }
+        List<String> actualHeaders = null; 
         if (ann != null) {
-            if (ann.allowHeaders() == null) {
-                return Collections.emptyList();
-            }
-            return Arrays.asList(ann.allowHeaders());
+            actualHeaders = Arrays.asList(ann.allowHeaders());
         } else {
-            return allowHeaders;
+            actualHeaders = allowHeaders;
         }
+        
+        return actualHeaders.containsAll(aHeaders);
     }
 
     private List<String> effectiveExposeHeaders(CrossOriginResourceSharing ann) {
+        List<String> actualExposeHeaders = null; 
         if (ann != null) {
-            if (ann.exposeHeaders() == null) {
-                return Collections.emptyList();
-            }
-            return Arrays.asList(ann.exposeHeaders());
+            actualExposeHeaders = Arrays.asList(ann.exposeHeaders());
         } else {
-            return exposeHeaders;
+            actualExposeHeaders = exposeHeaders;
         }
+        
+        return actualExposeHeaders;
     }
 
     private Integer effectiveMaxAge(CrossOriginResourceSharing ann) {
@@ -511,18 +508,6 @@ public class CrossOriginResourceSharingF
         return allowOrigins;
     }
 
-    /**
-     * Whether to implement Access-Control-Allow-Origin: *
-     * 
-     * @param allowAllOrigins if true, all origins are accepted and 
-     * "*" is returned in the header. Sections
-     * 5.1.1 and 5.1.2, and 5.2.1 and 5.2.2. If false, then the list of allowed origins must
be
-     */
-    public void setAllowAllOrigins(boolean allowAllOrigins) {
-        this.allowAllOrigins = allowAllOrigins;
-    }
-
-    
     public List<String> getAllowHeaders() {
         return allowHeaders;
     }
@@ -602,19 +587,5 @@ public class CrossOriginResourceSharingF
         this.defaultOptionsMethodsHandlePreflight = defaultOptionsMethodsHandlePreflight;
     }
 
-    public boolean isAllowAnyHeaders() {
-        return allowAnyHeaders;
-    }
-
-    /**
-     * Completely relax the Access-Control-Request-Headers check. 
-     * Any headers in this header will be permitted. Handy for 
-     * dealing with Chrome / Firefox / Safari incompatibilities.
-     * @param allowAnyHeader whether to allow any header. If <tt>false</tt>,
-     * respect the allowHeaders property.
-     */
-    public void setAllowAnyHeaders(boolean allowAnyHeader) {
-        this.allowAnyHeaders = allowAnyHeader;
-    }
-
+    
 }

Modified: cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java
Wed Mar 14 13:16:09 2012
@@ -34,6 +34,7 @@ import javax.ws.rs.core.Response;
 
 import org.apache.cxf.rs.security.cors.CorsHeaderConstants;
 import org.apache.cxf.rs.security.cors.CrossOriginResourceSharing;
+import org.apache.cxf.rs.security.cors.LocalPreflight;
 
 /**
  * Service bean with no class-level annotation for cross-script control.
@@ -73,7 +74,7 @@ public class AnnotatedCorsServer {
 
     @OPTIONS
     @Path("/delete")
-    @CrossOriginResourceSharing(localPreflight = true)
+    @LocalPreflight
     public Response deleteOptions() {
         String origin = headers.getRequestHeader("Origin").get(0);
         if ("http://area51.mil:3333".equals(origin)) {

Modified: cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java
Wed Mar 14 13:16:09 2012
@@ -40,10 +40,7 @@ public class ConfigServer {
     @Path("/setOriginList")
     @Produces("text/plain")
     public String setOriginList(String[] origins) {
-        if (origins == null || origins.length == 0) {
-            inputFilter.setAllowAllOrigins(true);
-        } else {
-            inputFilter.setAllowAllOrigins(false);
+        if (origins != null) {
             inputFilter.setAllowOrigins(Arrays.asList(origins));
         }
         return "ok";

Modified: cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml
Wed Mar 14 13:16:09 2012
@@ -21,9 +21,7 @@ http://cxf.apache.org/core 
       http://cxf.apache.org/schemas/core.xsd">
 	<import resource="classpath:/META-INF/cxf/cxf.xml" />
 
-	<bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
-		<property name="allowAllOrigins" value="true" />
-	</bean>
+	<bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/>
 
 	<jaxrs:server id="unann-cors-service" address="/untest">
 		<jaxrs:serviceBeans>



Mime
View raw message