You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Steven Tippetts (JIRA)" <ji...@apache.org> on 2012/11/05 23:14:12 UTC
[jira] [Created] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Steven Tippetts created CXF-4615:
------------------------------------
Summary: OAuthRequestFilter.java should ignore HTTP OPTIONS verb
Key: CXF-4615
URL: https://issues.apache.org/jira/browse/CXF-4615
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 2.7.0, 2.6.2
Reporter: Steven Tippetts
Priority: Critical
In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491636#comment-13491636 ]
Steven Tippetts commented on CXF-4615:
--------------------------------------
It looks like the fix works only when the CORS filter is used with the OAuth filter. Will the CORS filter be required now to use OAuth or is there an additional fix that works without the CORS filter?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491687#comment-13491687 ]
Steven Tippetts commented on CXF-4615:
--------------------------------------
Thank you for your feedback. In order to make the CXF OAuth solution simple, I think you'll need to have a fix to this that doesn't involve the CORS filter or extending OAuthRequestFilter. Here's why I think this. My client is javascript in the browser and uses jQuery $.ajax to make the call to the OAuth resource server. The client provides the $.ajax call with the Authorization header information that includes the bearer token; however, for some reason jQuery first sends the OPTIONS request but without including the Authorization header. I'm guessing that this will be a problem for anyone using a javascript client.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13498692#comment-13498692 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
OK. Regarding the local preflight pass-through code in OAuth2 filter: I'll keep it there for a bit, may get rid of it in the future if the feedback from users will show that a local preflight mode is used rarely, thanks
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491717#comment-13491717 ]
Steven Tippetts commented on CXF-4615:
--------------------------------------
It does work when I modify the filter as suggested. That said, I do have a filter in the chain that does the following:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
((HttpServletResponse)response).addHeader("Access-Control-Allow-Origin", "*");
((HttpServletResponse)response).addHeader("Access-Control-Allow-Methods", "PUT,POST,GET,OPTIONS");
((HttpServletResponse)response).addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
chain.doFilter(request,response);
}
It is now occurring to me that this may be similar to what the CORS filter is doing. If so, then I just need to switch to it.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4615) OAuthRequestFilter.java should
ignore HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491636#comment-13491636 ]
Steven Tippetts edited comment on CXF-4615 at 11/6/12 5:35 PM:
---------------------------------------------------------------
It looks like the fix works only when the CORS filter is used with the OAuth filter. Will the CORS filter be required now to use OAuth or are you planning an additional fix that works without the CORS filter?
was (Author: tippettssh):
It looks like the fix works only when the CORS filter is used with the OAuth filter. Will the CORS filter be required now to use OAuth or is there an additional fix that works without the CORS filter?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490987#comment-13490987 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
Hmm, should CORS filter be sitting in from of OAuthFilter and managing OPTIONS ?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13495239#comment-13495239 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
Hi Steven, no problems at all, note that you can also have:
{code:java}
@OPTIONS
@LocalPreflight
public Response handlePreflightRequest() {
}
{code}
if preferred. This code will specifically deal with analyzing the CORS OPTIONS request and preparing the response. This is a bit intrusive for the application code but allows to do the more sophisticated CORS Preflight processing which may not be possible by using the CORS filter only. Note I've updated OAuth filter to support the code above after you opened this JIRA.
Can I resolve it as Won't Fix or Not a Problem now ?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491648#comment-13491648 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
If OPTIONS request is not part of the browser doing CORS preflight then the filter can not just get OPTIONS pass by, right ? It could be an actual OAuth client trying to use OPTIONS and I guess we may have a case of a rogue client trying to use OPTIONS and the fact the JAX-RS are required to return a list of supported HTTP verbs in response to OPTIONS, thus, unless it is a local preflight, the filter has to block it, unless it is actually issued by a client whose access token can be validated.
If no CORS support is required (as in say with authorization code flow) then no CORS filter will be needed.
You do not have to use CORS filter at all if it seems like an extra headache :-), simply extend OAuthRequestFiler and override its handleRequest() and let the request proceed for OPTIONS, but if this OPTIONS is indeed part of CORS preflight then using the CORS filter is better because it will take care of preparing a proper preflight response, and generally speaking will not interfere with the actual OAuth flow.
Does it help ?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491404#comment-13491404 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
The only current limitation of using CrossOriginResourceSharingFilter with OAuth filter is that CORS filter will let the local preflight requests through, example, in cases when a service resource method is annotated with @Options and @LocalPreflight, but this still will be blocked by OAuth filter.
I've updated the oauth filter to let OPTIONS request pass through only if it is a local preflight request:
http://svn.apache.org/viewvc?rev=1406106&view=rev
Can you please experiment with the latest code ?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4615) OAuthRequestFilter.java should
ignore HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490987#comment-13490987 ]
Sergey Beryozkin edited comment on CXF-4615 at 11/5/12 10:25 PM:
-----------------------------------------------------------------
Hmm, should CORS filter be sitting in front of OAuthFilter and managing OPTIONS ?
http://cxf.apache.org/docs/jax-rs-cors.html
was (Author: sergey_beryozkin):
Hmm, should CORS filter be sitting in from of OAuthFilter and managing OPTIONS ?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491897#comment-13491897 ]
Steven Tippetts commented on CXF-4615:
--------------------------------------
Sorry for my ignorance. Thank you for your help. I'll add the CORS filter and remove the other and test your changes.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4615) OAuthRequestFilter.java should
ignore HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13498414#comment-13498414 ]
Steven Tippetts edited comment on CXF-4615 at 11/15/12 10:52 PM:
-----------------------------------------------------------------
Yes, go ahead and resolve it. Please note that I added the CORS filter without updating to your new code and my issue went away. In other words, I didn't test your new code.
was (Author: tippettssh):
Yes, go ahead and resolve it. Please note that I added the CORS filter without updating to your new code and my issue was resolved.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491846#comment-13491846 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
OK, that explains it.
Please try CORS filter and see how it works for you (list it before OAuth one). IMHO using the filter may be a better option, it is expected to be CORS spec compliant, can be configured to manage preflights and is more effective in the case of OPTIONS. At the moment, what happens after the OAuth filter passes OPTIONS through, the runtime will try to find the resource method supporting OPTIONS, and because it is not there, it will attempt to build "Allow" headers from the internal info, and will return, and in fact this 'Allow' won't be of use because Access-Control-Allow-Methods is expected instead.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491696#comment-13491696 ]
Sergey Beryozkin commented on CXF-4615:
---------------------------------------
> however, for some reason jQuery first sends the OPTIONS request but without including the Authorization header
AFAIK this is CORS preflight request. What do you expect to happen if OAuth filter will pass it through ? I think it will fail because no proper CORS response will be returned to the browser, or does it work if you modify the filter as you suggested ?
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-4615.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
I'm resolving it as Fixed due to a minor update I did to OAuth filter to let the local-preflight requests pass through
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Assignee: Sergey Beryozkin
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CXF-4615) OAuthRequestFilter.java should
ignore HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13498414#comment-13498414 ]
Steven Tippetts edited comment on CXF-4615 at 11/15/12 11:20 PM:
-----------------------------------------------------------------
Yes, go ahead and resolve it. Please note that I added the CORS filter without updating to your new code and my issue went away. In other words, I didn't test your new code. Sorry.
was (Author: tippettssh):
Yes, go ahead and resolve it. Please note that I added the CORS filter without updating to your new code and my issue went away. In other words, I didn't test your new code.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore
HTTP OPTIONS verb
Posted by "Steven Tippetts (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13498414#comment-13498414 ]
Steven Tippetts commented on CXF-4615:
--------------------------------------
Yes, go ahead and resolve it. Please note that I added the CORS filter without updating to your new code and my issue was resolved.
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
> Key: CXF-4615
> URL: https://issues.apache.org/jira/browse/CXF-4615
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Steven Tippetts
> Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests should skip this filter.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira