cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-4615) should ignore HTTP OPTIONS verb
Date Tue, 06 Nov 2012 21:36:14 GMT


Sergey Beryozkin commented on CXF-4615:

OK, that explains it.

Please try CORS filter and see how it works for you (list it before OAuth one). IMHO using
the filter may be a better option, it is expected to be CORS spec compliant, can be configured
to manage preflights and is more effective in the case of OPTIONS. At the moment, what happens
after the OAuth filter passes OPTIONS through, the runtime will try to find the resource method
supporting OPTIONS, and because it is not there, it will attempt to build "Allow" headers
from the internal info, and will return, and in fact this 'Allow' won't be of use because
Access-Control-Allow-Methods is expected instead.

> should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>                 Key: CXF-4615
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6.2, 2.7.0
>            Reporter: Steven Tippetts
>            Priority: Critical
> In handleRequest of at line 54 something similar to the following
should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when
using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip
this filter.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message