You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bi...@apache.org on 2011/12/22 14:52:43 UTC

svn commit: r1222231 - in /cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors: CrossOriginResourceSharing.java CrossOriginResourceSharingFilter.java

Author: bimargulies
Date: Thu Dec 22 13:52:43 2011
New Revision: 1222231

URL: http://svn.apache.org/viewvc?rev=1222231&view=rev
Log:
CXF-3998: add an additional flag (and annotation param) to make it easier to deal with browser confusion on Access-Control-Allow-Headers.

Modified:
    cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java
    cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java

Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java?rev=1222231&r1=1222230&r2=1222231&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java Thu Dec 22 13:52:43 2011
@@ -59,6 +59,12 @@ public @interface CrossOriginResourceSha
      * in an actual request.
      */
     String[] allowHeaders() default { };
+    
+    /**
+     * Act as if whatever headers are listed in the Access-Control-Request-Headers are 
+     * listed in allowHeaders. Convenient for dealing with Browser bugs. 
+     */
+    boolean allowAnyHeaders() default false;
     /**
      * If true, this resource will return 
      * <pre>Access-Control-Allow-Credentials: true</pre>

Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java?rev=1222231&r1=1222230&r2=1222231&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java Thu Dec 22 13:52:43 2011
@@ -84,6 +84,7 @@ public class CrossOriginResourceSharingF
     private Integer maxAge;
     private Integer preflightFailStatus = 200;
     private boolean defaultOptionsMethodsHandlePreflight;
+    private boolean allowAnyHeaders;
     
     
     private CrossOriginResourceSharing getAnnotation(OperationResourceInfo ori) {
@@ -209,9 +210,9 @@ public class CrossOriginResourceSharingF
         CrossOriginResourceSharing ann = method.getAnnotation(CrossOriginResourceSharing.class);
         ann = ann == null ? optionAnn : ann;
         
-        if (ann == null) {
-            return createPreflightResponse(m, false);
-        }
+        /* We aren't required to have any annotation at all. If no annotation,
+         * the properties of this filter make all the decisions.
+         */
 
         // 5.2.2 must be on the list or we must be matching *.
         boolean effectiveAllowAllOrigins = effectiveAllowAllOrigins(ann);
@@ -226,7 +227,7 @@ public class CrossOriginResourceSharingF
         // This was indirectly enforced by getCorsMethod()
 
         // 5.2.6 reject if the header is not listed.
-        if (!effectiveAllowHeaders(ann).containsAll(requestHeaders)) {
+        if (!effectiveAllowAnyHeaders(ann) && !effectiveAllowHeaders(ann).containsAll(requestHeaders)) {
             return createPreflightResponse(m, false);
         }
 
@@ -394,6 +395,14 @@ public class CrossOriginResourceSharingF
         }
     }
     
+    private boolean effectiveAllowAnyHeaders(CrossOriginResourceSharing ann) {
+        if (ann != null) {
+            return ann.allowAnyHeaders();
+        } else {
+            return allowAnyHeaders;
+        }
+    }
+    
     private List<String> effectiveAllowHeaders(CrossOriginResourceSharing ann) {
         if (ann != null) {
             if (ann.allowHeaders() == null) {
@@ -570,7 +579,7 @@ public class CrossOriginResourceSharingF
     /**
      * Preflight error response status, default is 200.
      * 
-     * @param status
+     * @param status HTTP status code.
      */
     public void setPreflightErrorStatus(Integer status) {
         this.preflightFailStatus = status;
@@ -593,4 +602,19 @@ public class CrossOriginResourceSharingF
         this.defaultOptionsMethodsHandlePreflight = defaultOptionsMethodsHandlePreflight;
     }
 
+    public boolean isAllowAnyHeaders() {
+        return allowAnyHeaders;
+    }
+
+    /**
+     * Completely relax the Access-Control-Request-Headers check. 
+     * Any headers in this header will be permitted. Handy for 
+     * dealing with Chrome / Firefox / Safari incompatibilities.
+     * @param allowAnyHeader whether to allow any header. If <tt>false</tt>,
+     * respect the allowHeaders property.
+     */
+    public void setAllowAnyHeaders(boolean allowAnyHeader) {
+        this.allowAnyHeaders = allowAnyHeader;
+    }
+
 }