You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bi...@apache.org on 2011/12/22 14:52:43 UTC
svn commit: r1222231 - in
/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors:
CrossOriginResourceSharing.java CrossOriginResourceSharingFilter.java
Author: bimargulies
Date: Thu Dec 22 13:52:43 2011
New Revision: 1222231
URL: http://svn.apache.org/viewvc?rev=1222231&view=rev
Log:
CXF-3998: add an additional flag (and annotation param) to make it easier to deal with browser confusion on Access-Control-Allow-Headers.
Modified:
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java
Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java?rev=1222231&r1=1222230&r2=1222231&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java Thu Dec 22 13:52:43 2011
@@ -59,6 +59,12 @@ public @interface CrossOriginResourceSha
* in an actual request.
*/
String[] allowHeaders() default { };
+
+ /**
+ * Act as if whatever headers are listed in the Access-Control-Request-Headers are
+ * listed in allowHeaders. Convenient for dealing with Browser bugs.
+ */
+ boolean allowAnyHeaders() default false;
/**
* If true, this resource will return
* <pre>Access-Control-Allow-Credentials: true</pre>
Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java?rev=1222231&r1=1222230&r2=1222231&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java (original)
+++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java Thu Dec 22 13:52:43 2011
@@ -84,6 +84,7 @@ public class CrossOriginResourceSharingF
private Integer maxAge;
private Integer preflightFailStatus = 200;
private boolean defaultOptionsMethodsHandlePreflight;
+ private boolean allowAnyHeaders;
private CrossOriginResourceSharing getAnnotation(OperationResourceInfo ori) {
@@ -209,9 +210,9 @@ public class CrossOriginResourceSharingF
CrossOriginResourceSharing ann = method.getAnnotation(CrossOriginResourceSharing.class);
ann = ann == null ? optionAnn : ann;
- if (ann == null) {
- return createPreflightResponse(m, false);
- }
+ /* We aren't required to have any annotation at all. If no annotation,
+ * the properties of this filter make all the decisions.
+ */
// 5.2.2 must be on the list or we must be matching *.
boolean effectiveAllowAllOrigins = effectiveAllowAllOrigins(ann);
@@ -226,7 +227,7 @@ public class CrossOriginResourceSharingF
// This was indirectly enforced by getCorsMethod()
// 5.2.6 reject if the header is not listed.
- if (!effectiveAllowHeaders(ann).containsAll(requestHeaders)) {
+ if (!effectiveAllowAnyHeaders(ann) && !effectiveAllowHeaders(ann).containsAll(requestHeaders)) {
return createPreflightResponse(m, false);
}
@@ -394,6 +395,14 @@ public class CrossOriginResourceSharingF
}
}
+ private boolean effectiveAllowAnyHeaders(CrossOriginResourceSharing ann) {
+ if (ann != null) {
+ return ann.allowAnyHeaders();
+ } else {
+ return allowAnyHeaders;
+ }
+ }
+
private List<String> effectiveAllowHeaders(CrossOriginResourceSharing ann) {
if (ann != null) {
if (ann.allowHeaders() == null) {
@@ -570,7 +579,7 @@ public class CrossOriginResourceSharingF
/**
* Preflight error response status, default is 200.
*
- * @param status
+ * @param status HTTP status code.
*/
public void setPreflightErrorStatus(Integer status) {
this.preflightFailStatus = status;
@@ -593,4 +602,19 @@ public class CrossOriginResourceSharingF
this.defaultOptionsMethodsHandlePreflight = defaultOptionsMethodsHandlePreflight;
}
+ public boolean isAllowAnyHeaders() {
+ return allowAnyHeaders;
+ }
+
+ /**
+ * Completely relax the Access-Control-Request-Headers check.
+ * Any headers in this header will be permitted. Handy for
+ * dealing with Chrome / Firefox / Safari incompatibilities.
+ * @param allowAnyHeader whether to allow any header. If <tt>false</tt>,
+ * respect the allowHeaders property.
+ */
+ public void setAllowAnyHeaders(boolean allowAnyHeader) {
+ this.allowAnyHeaders = allowAnyHeader;
+ }
+
}