cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Using Origin even if allowedAllOrigins is set when allow credentials is enabled
Date Tue, 09 Jun 2015 11:08:49 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes 292ab8fba -> 235393d64


Using Origin even if allowedAllOrigins is set when allow credentials is enabled


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/235393d6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/235393d6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/235393d6

Branch: refs/heads/2.7.x-fixes
Commit: 235393d64083e1c4c02ac8f1961010bd9d82187f
Parents: 292ab8f
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Jun 9 11:43:58 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Jun 9 12:08:19 2015 +0100

----------------------------------------------------------------------
 .../cors/CrossOriginResourceSharingFilter.java  | 44 +++++++++-----------
 .../jaxrs/cors/CrossOriginSimpleTest.java       | 30 +++++++++++++
 .../jaxrs/cors/UnannotatedCorsServer.java       | 15 +++++++
 3 files changed, 65 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/235393d6/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
b/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
index 21cfae8..d624efa 100644
--- a/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
+++ b/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
@@ -113,28 +113,19 @@ public class CrossOriginResourceSharingFilter implements RequestHandler,
Respons
     }
 
     private Response simpleRequest(Message m, CrossOriginResourceSharing ann) {
-        List<String> values = getHeaderValues(CorsHeaderConstants.HEADER_ORIGIN, true);
+        List<String> headerOriginValues = getHeaderValues(CorsHeaderConstants.HEADER_ORIGIN,
true);
         // 5.1.1 there has to be an origin
-        if (values == null || values.size() == 0) {
+        if (headerOriginValues == null || headerOriginValues.size() == 0) {
             return null;
         }
         
         // 5.1.2 check all the origins
-        if (!effectiveAllowOrigins(ann, values)) {
+        if (!effectiveAllowOrigins(ann, headerOriginValues)) {
             return null;
         }
         
-        String originResponse;
-        // 5.1.3 credentials lives in the output filter
-        // in any case
-        if (effectiveAllowAllOrigins(ann)) {
-            originResponse = "*";
-        } else {
-            originResponse = concatValues(values, true);
-        }
-
         // handle 5.1.3
-        commonRequestProcessing(m, ann, originResponse);
+        setAllowOriginAndCredentials(m, ann, headerOriginValues);
         
         // 5.1.4
         List<String> effectiveExposeHeaders = effectiveExposeHeaders(ann);
@@ -230,13 +221,6 @@ public class CrossOriginResourceSharingFilter implements RequestHandler,
Respons
             return createPreflightResponse(m, false);
         }
 
-        // 5.2.7: add allow credentials and allow-origin as required: this lives in the Output
filter
-        String originResponse;
-        if (effectiveAllowAllOrigins(ann)) {
-            originResponse = "*";
-        } else {
-            originResponse = origin;
-        }
         // 5.2.9 add allow-methods; we pass them from here to the output filter which actually
adds them.
         m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, Arrays.asList(requestMethod));
         
@@ -249,7 +233,7 @@ public class CrossOriginResourceSharingFilter implements RequestHandler,
Respons
         }
 
         // 5.2.7 is in here.
-        commonRequestProcessing(m, ann, originResponse);
+        setAllowOriginAndCredentials(m, ann, headerOriginValues);
 
         return createPreflightResponse(m, true);
     }
@@ -314,10 +298,22 @@ public class CrossOriginResourceSharingFilter implements RequestHandler,
Respons
         }
     }
     
-    private void commonRequestProcessing(Message m, CrossOriginResourceSharing ann, String
origin) {
+    private void setAllowOriginAndCredentials(Message m, 
+                                              CrossOriginResourceSharing ann,
+                                              List<String> headerOriginValues) {
+     
+        boolean allowCreds = effectiveAllowCredentials(ann);
+        m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, allowCreds);
+        
+        String originResponse;
+        if (!allowCreds && effectiveAllowAllOrigins(ann)) {
+            originResponse = "*";
+        } else {
+            originResponse = concatValues(headerOriginValues, true);
+        }
+        
+        m.getExchange().put(CorsHeaderConstants.HEADER_ORIGIN, originResponse);
         
-        m.getExchange().put(CorsHeaderConstants.HEADER_ORIGIN, origin);
-        m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, effectiveAllowCredentials(ann));
     }
 
     public Response handleResponse(Message m, OperationResourceInfo ori, Response response)
{

http://git-wip-us.apache.org/repos/asf/cxf/blob/235393d6/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
----------------------------------------------------------------------
diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
index 81c9a23..63b4049 100644
--- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
+++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
@@ -19,6 +19,7 @@
 
 package org.apache.cxf.systest.jaxrs.cors;
 
+import java.io.Closeable;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -393,6 +394,35 @@ public class CrossOriginSimpleTest extends AbstractBusClientServerTestBase
{
     }
     
     @Test
+    public void testAnnotatedMethodPreflight2() throws Exception {
+        configureAllowOrigins(true, null);
+        String r = configClient.replacePath("/setAllowCredentials/false")
+            .accept("text/plain").post(null, String.class);
+        assertEquals("ok", r);
+        HttpClient httpclient = new DefaultHttpClient();
+        HttpOptions http = new HttpOptions("http://localhost:" + PORT + "/untest/annotatedPut2");
+        // this is the origin we expect to get.
+        http.addHeader("Origin", "http://area51.mil:31415");
+        http.addHeader(CorsHeaderConstants.HEADER_AC_REQUEST_METHOD, "PUT");
+        http.addHeader(CorsHeaderConstants.HEADER_AC_REQUEST_HEADERS, "X-custom-1, x-custom-2");
+        HttpResponse response = httpclient.execute(http);
+        assertEquals(200, response.getStatusLine().getStatusCode());
+        assertOriginResponse(false, new String[]{"http://area51.mil:31415"}, true, response);
+        assertAllowCredentials(response, true);
+        List<String> exposeHeadersValues 
+            = headerValues(response.getHeaders(CorsHeaderConstants.HEADER_AC_EXPOSE_HEADERS));
+        // preflight never returns Expose-Headers
+        assertEquals(Collections.emptyList(), exposeHeadersValues);
+        List<String> allowHeadersValues 
+            = headerValues(response.getHeaders(CorsHeaderConstants.HEADER_AC_ALLOW_HEADERS));
+        assertEquals(Arrays.asList(new String[] {"X-custom-1", "x-custom-2" }), allowHeadersValues);
+        if (httpclient instanceof Closeable) {
+            ((Closeable)httpclient).close();
+        }
+
+    }
+    
+    @Test
     public void testAnnotatedClassCorrectOrigin() throws Exception {
         HttpClient httpclient = new DefaultHttpClient();
         HttpGet httpget = new HttpGet("http://localhost:" + PORT + "/antest/simpleGet/HelloThere");

http://git-wip-us.apache.org/repos/asf/cxf/blob/235393d6/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
----------------------------------------------------------------------
diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
index 94b4764..102ea1e 100644
--- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
+++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
@@ -77,4 +77,19 @@ public class UnannotatedCorsServer {
     public String annotatedPut(String input) {
         return input;
     }
+    
+    @PUT
+    @Consumes("text/plain")
+    @Produces("text/plain")
+    @Path("/annotatedPut2")
+    @CrossOriginResourceSharing(
+        allowAllOrigins = true, 
+        allowCredentials = true, 
+        maxAge = 1, 
+        allowHeaders = { "X-custom-1", "X-custom-2" },
+        exposeHeaders = {"X-custom-3", "X-custom-4" }
+    )
+    public String annotatedPut2(String input) {
+        return input;
+    }
 }


Mime
View raw message