cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6444] Using Origin even if allowedAllOrigins is set when allow credentials is enabled
Date Tue, 09 Jun 2015 10:46:06 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 53b20e070 -> 8f94bfa9d


[CXF-6444] Using Origin even if allowedAllOrigins is set when allow credentials is enabled


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8f94bfa9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8f94bfa9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8f94bfa9

Branch: refs/heads/3.0.x-fixes
Commit: 8f94bfa9d4e75b80e5ca50310510608ebdeb7bec
Parents: 53b20e0
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Jun 9 11:43:58 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Jun 9 11:45:39 2015 +0100

----------------------------------------------------------------------
 .../cors/CrossOriginResourceSharingFilter.java  | 44 +++++++++-----------
 .../jaxrs/cors/CrossOriginSimpleTest.java       | 29 +++++++++++++
 .../jaxrs/cors/UnannotatedCorsServer.java       | 15 +++++++
 3 files changed, 64 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/8f94bfa9/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
b/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
index 13a04ba..2876521 100644
--- a/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
+++ b/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
@@ -131,28 +131,19 @@ public class CrossOriginResourceSharingFilter implements ContainerRequestFilter,
     private Response simpleRequest(Message m, Method resourceMethod) {
         CrossOriginResourceSharing ann = 
             getAnnotation(resourceMethod, CrossOriginResourceSharing.class);
-        List<String> values = getHeaderValues(CorsHeaderConstants.HEADER_ORIGIN, true);
+        List<String> headerOriginValues = getHeaderValues(CorsHeaderConstants.HEADER_ORIGIN,
true);
         // 5.1.1 there has to be an origin
-        if (values == null || values.size() == 0) {
+        if (headerOriginValues == null || headerOriginValues.size() == 0) {
             return null;
         }
         
         // 5.1.2 check all the origins
-        if (!effectiveAllowOrigins(ann, values)) {
+        if (!effectiveAllowOrigins(ann, headerOriginValues)) {
             return null;
         }
         
-        String originResponse;
-        // 5.1.3 credentials lives in the output filter
-        // in any case
-        if (effectiveAllowAllOrigins(ann)) {
-            originResponse = "*";
-        } else {
-            originResponse = concatValues(values, true);
-        }
-
         // handle 5.1.3
-        commonRequestProcessing(m, ann, originResponse);
+        setAllowOriginAndCredentials(m, ann, headerOriginValues);
         
         // 5.1.4
         List<String> effectiveExposeHeaders = effectiveExposeHeaders(ann);
@@ -255,13 +246,6 @@ public class CrossOriginResourceSharingFilter implements ContainerRequestFilter,
             return createPreflightResponse(m, false);
         }
 
-        // 5.2.7: add allow credentials and allow-origin as required: this lives in the Output
filter
-        String originResponse;
-        if (effectiveAllowAllOrigins(ann)) {
-            originResponse = "*";
-        } else {
-            originResponse = origin;
-        }
         // 5.2.9 add allow-methods; we pass them from here to the output filter which actually
adds them.
         m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, Arrays.asList(requestMethod));
         
@@ -274,7 +258,7 @@ public class CrossOriginResourceSharingFilter implements ContainerRequestFilter,
         }
 
         // 5.2.7 is in here.
-        commonRequestProcessing(m, ann, originResponse);
+        setAllowOriginAndCredentials(m, ann, headerOriginValues);
 
         return createPreflightResponse(m, true);
     }
@@ -336,10 +320,22 @@ public class CrossOriginResourceSharingFilter implements ContainerRequestFilter,
         }
     }
     
-    private void commonRequestProcessing(Message m, CrossOriginResourceSharing ann, String
origin) {
+    private void setAllowOriginAndCredentials(Message m, 
+                                              CrossOriginResourceSharing ann,
+                                              List<String> headerOriginValues) {
+     
+        boolean allowCreds = effectiveAllowCredentials(ann);
+        m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, allowCreds);
+        
+        String originResponse;
+        if (!allowCreds && effectiveAllowAllOrigins(ann)) {
+            originResponse = "*";
+        } else {
+            originResponse = concatValues(headerOriginValues, true);
+        }
+        
+        m.getExchange().put(CorsHeaderConstants.HEADER_ORIGIN, originResponse);
         
-        m.getExchange().put(CorsHeaderConstants.HEADER_ORIGIN, origin);
-        m.getExchange().put(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, effectiveAllowCredentials(ann));
     }
 
     public void filter(ContainerRequestContext requestContext,

http://git-wip-us.apache.org/repos/asf/cxf/blob/8f94bfa9/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
----------------------------------------------------------------------
diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
index ef3dc25..e26d1fe 100644
--- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
+++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/CrossOriginSimpleTest.java
@@ -437,6 +437,35 @@ public class CrossOriginSimpleTest extends AbstractBusClientServerTestBase
{
     }
     
     @Test
+    public void testAnnotatedMethodPreflight2() throws Exception {
+        configureAllowOrigins(true, null);
+        String r = configClient.replacePath("/setAllowCredentials/false")
+            .accept("text/plain").post(null, String.class);
+        assertEquals("ok", r);
+        HttpClient httpclient = HttpClientBuilder.create().build();
+        HttpOptions http = new HttpOptions("http://localhost:" + PORT + "/untest/annotatedPut2");
+        // this is the origin we expect to get.
+        http.addHeader("Origin", "http://area51.mil:31415");
+        http.addHeader(CorsHeaderConstants.HEADER_AC_REQUEST_METHOD, "PUT");
+        http.addHeader(CorsHeaderConstants.HEADER_AC_REQUEST_HEADERS, "X-custom-1, x-custom-2");
+        HttpResponse response = httpclient.execute(http);
+        assertEquals(200, response.getStatusLine().getStatusCode());
+        assertOriginResponse(false, new String[]{"http://area51.mil:31415"}, true, response);
+        assertAllowCredentials(response, true);
+        List<String> exposeHeadersValues 
+            = headerValues(response.getHeaders(CorsHeaderConstants.HEADER_AC_EXPOSE_HEADERS));
+        // preflight never returns Expose-Headers
+        assertEquals(Collections.emptyList(), exposeHeadersValues);
+        List<String> allowHeadersValues 
+            = headerValues(response.getHeaders(CorsHeaderConstants.HEADER_AC_ALLOW_HEADERS));
+        assertEquals(Arrays.asList(new String[] {"X-custom-1", "x-custom-2" }), allowHeadersValues);
+        if (httpclient instanceof Closeable) {
+            ((Closeable)httpclient).close();
+        }
+
+    }
+    
+    @Test
     public void testAnnotatedClassCorrectOrigin() throws Exception {
         HttpClient httpclient = HttpClientBuilder.create().build();
         HttpGet httpget = new HttpGet("http://localhost:" + PORT + "/antest/simpleGet/HelloThere");

http://git-wip-us.apache.org/repos/asf/cxf/blob/8f94bfa9/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
----------------------------------------------------------------------
diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
index 94b4764..102ea1e 100644
--- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
+++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/UnannotatedCorsServer.java
@@ -77,4 +77,19 @@ public class UnannotatedCorsServer {
     public String annotatedPut(String input) {
         return input;
     }
+    
+    @PUT
+    @Consumes("text/plain")
+    @Produces("text/plain")
+    @Path("/annotatedPut2")
+    @CrossOriginResourceSharing(
+        allowAllOrigins = true, 
+        allowCredentials = true, 
+        maxAge = 1, 
+        allowHeaders = { "X-custom-1", "X-custom-2" },
+        exposeHeaders = {"X-custom-3", "X-custom-4" }
+    )
+    public String annotatedPut2(String input) {
+        return input;
+    }
 }


Mime
View raw message