cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Tippetts (JIRA)" <>
Subject [jira] [Commented] (CXF-4615) should ignore HTTP OPTIONS verb
Date Tue, 06 Nov 2012 18:34:14 GMT


Steven Tippetts commented on CXF-4615:

Thank you for your feedback. In order to make the CXF OAuth solution simple, I think you'll
need to have a fix to this that doesn't involve the CORS filter or extending OAuthRequestFilter.
Here's why I think this. My client is javascript in the browser and uses jQuery $.ajax to
make the call to the OAuth resource server. The client provides the $.ajax call with the Authorization
header information that includes the bearer token; however, for some reason jQuery first sends
the OPTIONS request but without including the Authorization header. I'm guessing that this
will be a problem for anyone using a javascript client.
> should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>                 Key: CXF-4615
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6.2, 2.7.0
>            Reporter: Steven Tippetts
>            Priority: Critical
> In handleRequest of at line 54 something similar to the following
should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when
using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip
this filter.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message