You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/03/14 14:16:10 UTC
svn commit: r1300535 - in /cxf/branches/2.5.x-fixes: ./
rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/
systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/
systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/
Author: sergeyb
Date: Wed Mar 14 13:16:09 2012
New Revision: 1300535
URL: http://svn.apache.org/viewvc?rev=1300535&view=rev
Log:
Merged revisions 1299900,1300084,1300509,1300523 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1299900 | sergeyb | 2012-03-12 22:10:07 +0000 (Mon, 12 Mar 2012) | 1 line
[CXF-4167] Making sure some of the cors properties can be customized if they are not set on the annotation
........
r1300084 | sergeyb | 2012-03-13 11:51:51 +0000 (Tue, 13 Mar 2012) | 1 line
[CXF-4167] Also removing a couple of redundant annotation properties
........
r1300509 | sergeyb | 2012-03-14 11:23:58 +0000 (Wed, 14 Mar 2012) | 1 line
[CXF-4167] restoring allowAllOrigins for a moment
........
r1300523 | sergeyb | 2012-03-14 12:33:09 +0000 (Wed, 14 Mar 2012) | 1 line
[CXF-4167] Fixing the test and moving the localPreflight property into its own annotation
........
Added:
cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/LocalPreflight.java
- copied unchanged from r1300523, cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/LocalPreflight.java
Modified:
cxf/branches/2.5.x-fixes/ (props changed)
cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java
cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java
cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java
cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Mar 14 13:16:09 2012
@@ -1 +1 @@
-/cxf/trunk:1236902,1297296,1298470,1298601-1298624,1298830,1298832,1299086,1299635,1299682,1299707,1299747,1300342,1300530
+/cxf/trunk:1236902,1297296,1298470,1298601-1298624,1298830,1298832,1299086,1299635,1299682,1299707,1299747,1299900-1300084,1300342,1300509,1300523,1300530
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java Wed Mar 14 13:16:09 2012
@@ -44,28 +44,25 @@ import java.lang.annotation.Target;
@Inherited
public @interface CrossOriginResourceSharing {
/**
- * If true, this resource will return
+ * If true, this resource will return
* <pre>Access-Control-Allow-Origin: *</pre>
- * for a valid request.
+ * for a valid request
*/
boolean allowAllOrigins() default false;
/**
- * A list of permitted origins. This is ignored
- * if {@link #allowAllOrigins()} is true.
+ * A list of permitted origins. It is ignored if
+ * {@link #allowAllOrigins()} returns true
*/
String[] allowOrigins() default { };
/**
* A list of headers that the client may include
- * in an actual request.
+ * in an actual request. All the headers listed in
+ * the Access-Control-Request-Headers will be allowed if
+ * the list is empty
*/
String[] allowHeaders() default { };
/**
- * Act as if whatever headers are listed in the Access-Control-Request-Headers are
- * listed in allowHeaders. Convenient for dealing with Browser bugs.
- */
- boolean allowAnyHeaders() default false;
- /**
* If true, this resource will return
* <pre>Access-Control-Allow-Credentials: true</pre>
*/
@@ -81,14 +78,4 @@ public @interface CrossOriginResourceSha
* value is -1.
*/
int maxAge() default -1;
- /**
- * Controls the implementation of preflight processing
- * on an OPTIONS method.
- * If the current method is OPTIONS, and this method wants to
- * handle the preflight process for itself, set this value to
- * <tt>true</tt>. In the default, false, case, the filter
- * performs preflight processing.
- */
- boolean localPreflight() default false;
-
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java Wed Mar 14 13:16:09 2012
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.cors;
+import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
@@ -78,40 +79,28 @@ public class CrossOriginResourceSharingF
*/
private List<String> allowOrigins = Collections.emptyList();
private List<String> allowHeaders = Collections.emptyList();
- private boolean allowAllOrigins;
private boolean allowCredentials;
private List<String> exposeHeaders = Collections.emptyList();
private Integer maxAge;
private Integer preflightFailStatus = 200;
private boolean defaultOptionsMethodsHandlePreflight;
- private boolean allowAnyHeaders;
- private CrossOriginResourceSharing getAnnotation(OperationResourceInfo ori) {
+ private <T extends Annotation> T getAnnotation(OperationResourceInfo ori,
+ Class<T> annClass) {
if (ori == null) {
return null;
}
- return ReflectionUtil.getAnnotationForMethodOrContainingClass(ori.getAnnotatedMethod(),
- CrossOriginResourceSharing.class);
+ return ReflectionUtil.getAnnotationForMethodOrContainingClass(
+ ori.getAnnotatedMethod(), annClass);
}
public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
OperationResourceInfo opResInfo = m.getExchange().get(OperationResourceInfo.class);
- /*
- * If there is an actual method annotated with @OPTIONS, this is the annotation (if any) from it.
- * The lookup falls back to it.
- */
- CrossOriginResourceSharing annotation = getAnnotation(opResInfo);
- /*
- * If we don't have an annotation on the target method or an @OPTION method, perhaps
- * we've got one on the class?
- */
- if (annotation == null) {
- annotation = resourceClass.getServiceClass().getAnnotation(CrossOriginResourceSharing.class);
- }
-
+ CrossOriginResourceSharing annotation =
+ getAnnotation(opResInfo, CrossOriginResourceSharing.class);
+
if ("OPTIONS".equals(m.get(Message.HTTP_REQUEST_METHOD))) {
-
return preflightRequest(m, annotation, opResInfo, resourceClass);
}
return simpleRequest(m, annotation);
@@ -125,7 +114,7 @@ public class CrossOriginResourceSharingF
}
// 5.1.2 check all the origins
- if (!effectiveAllowAllOrigins(ann) && !effectiveAllowOrigins(ann).containsAll(values)) {
+ if (!effectiveAllowOrigins(ann, values)) {
return null;
}
@@ -167,7 +156,7 @@ public class CrossOriginResourceSharingF
* @return
*/
//CHECKSTYLE:OFF
- private Response preflightRequest(Message m, CrossOriginResourceSharing optionAnn,
+ private Response preflightRequest(Message m, CrossOriginResourceSharing corsAnn,
OperationResourceInfo opResInfo, ClassResourceInfo resourceClass) {
/*
@@ -176,8 +165,9 @@ public class CrossOriginResourceSharingF
* has one of our annotations on it (or its parent class) indicating 'localPreflight' --
* or the defaultOptionsMethodsHandlePreflight flag is true.
*/
- if (opResInfo != null && ((optionAnn == null && defaultOptionsMethodsHandlePreflight)
- || (optionAnn != null && optionAnn.localPreflight()))) {
+ LocalPreflight preflightAnnotation =
+ getAnnotation(opResInfo, LocalPreflight.class);
+ if (preflightAnnotation != null || defaultOptionsMethodsHandlePreflight) {
return null; // let the resource method take all responsibility.
}
@@ -208,15 +198,14 @@ public class CrossOriginResourceSharingF
return null;
}
CrossOriginResourceSharing ann = method.getAnnotation(CrossOriginResourceSharing.class);
- ann = ann == null ? optionAnn : ann;
+ ann = ann == null ? corsAnn : ann;
/* We aren't required to have any annotation at all. If no annotation,
* the properties of this filter make all the decisions.
*/
// 5.2.2 must be on the list or we must be matching *.
- boolean effectiveAllowAllOrigins = effectiveAllowAllOrigins(ann);
- if (!effectiveAllowAllOrigins && !effectiveAllowOrigins(ann).contains(origin)) {
+ if (!effectiveAllowOrigins(ann, Collections.singletonList(origin))) {
return createPreflightResponse(m, false);
}
@@ -227,7 +216,7 @@ public class CrossOriginResourceSharingF
// This was indirectly enforced by getCorsMethod()
// 5.2.6 reject if the header is not listed.
- if (!effectiveAllowAnyHeaders(ann) && !effectiveAllowHeaders(ann).containsAll(requestHeaders)) {
+ if (!effectiveAllowHeaders(ann, requestHeaders)) {
return createPreflightResponse(m, false);
}
@@ -372,7 +361,7 @@ public class CrossOriginResourceSharingF
if (ann != null) {
return ann.allowAllOrigins();
} else {
- return allowAllOrigins;
+ return allowOrigins.isEmpty();
}
}
@@ -384,45 +373,53 @@ public class CrossOriginResourceSharingF
}
}
- private List<String> effectiveAllowOrigins(CrossOriginResourceSharing ann) {
+ private boolean effectiveAllowOrigins(CrossOriginResourceSharing ann, List<String> origins) {
+ if (effectiveAllowAllOrigins(ann)) {
+ return true;
+ }
+ List<String> actualOrigins = Collections.emptyList();
if (ann != null) {
- if (ann.allowOrigins() == null) {
- return Collections.emptyList();
- }
- return Arrays.asList(ann.allowOrigins());
- } else {
- return allowOrigins;
+ actualOrigins = Arrays.asList(ann.allowOrigins());
+ }
+
+ if (actualOrigins.isEmpty()) {
+ actualOrigins = allowOrigins;
}
+
+ return actualOrigins.containsAll(origins);
}
private boolean effectiveAllowAnyHeaders(CrossOriginResourceSharing ann) {
if (ann != null) {
- return ann.allowAnyHeaders();
+ return ann.allowHeaders().length == 0;
} else {
- return allowAnyHeaders;
+ return allowHeaders.isEmpty();
}
}
- private List<String> effectiveAllowHeaders(CrossOriginResourceSharing ann) {
+ private boolean effectiveAllowHeaders(CrossOriginResourceSharing ann, List<String> aHeaders) {
+ if (effectiveAllowAnyHeaders(ann)) {
+ return true;
+ }
+ List<String> actualHeaders = null;
if (ann != null) {
- if (ann.allowHeaders() == null) {
- return Collections.emptyList();
- }
- return Arrays.asList(ann.allowHeaders());
+ actualHeaders = Arrays.asList(ann.allowHeaders());
} else {
- return allowHeaders;
+ actualHeaders = allowHeaders;
}
+
+ return actualHeaders.containsAll(aHeaders);
}
private List<String> effectiveExposeHeaders(CrossOriginResourceSharing ann) {
+ List<String> actualExposeHeaders = null;
if (ann != null) {
- if (ann.exposeHeaders() == null) {
- return Collections.emptyList();
- }
- return Arrays.asList(ann.exposeHeaders());
+ actualExposeHeaders = Arrays.asList(ann.exposeHeaders());
} else {
- return exposeHeaders;
+ actualExposeHeaders = exposeHeaders;
}
+
+ return actualExposeHeaders;
}
private Integer effectiveMaxAge(CrossOriginResourceSharing ann) {
@@ -511,18 +508,6 @@ public class CrossOriginResourceSharingF
return allowOrigins;
}
- /**
- * Whether to implement Access-Control-Allow-Origin: *
- *
- * @param allowAllOrigins if true, all origins are accepted and
- * "*" is returned in the header. Sections
- * 5.1.1 and 5.1.2, and 5.2.1 and 5.2.2. If false, then the list of allowed origins must be
- */
- public void setAllowAllOrigins(boolean allowAllOrigins) {
- this.allowAllOrigins = allowAllOrigins;
- }
-
-
public List<String> getAllowHeaders() {
return allowHeaders;
}
@@ -602,19 +587,5 @@ public class CrossOriginResourceSharingF
this.defaultOptionsMethodsHandlePreflight = defaultOptionsMethodsHandlePreflight;
}
- public boolean isAllowAnyHeaders() {
- return allowAnyHeaders;
- }
-
- /**
- * Completely relax the Access-Control-Request-Headers check.
- * Any headers in this header will be permitted. Handy for
- * dealing with Chrome / Firefox / Safari incompatibilities.
- * @param allowAnyHeader whether to allow any header. If <tt>false</tt>,
- * respect the allowHeaders property.
- */
- public void setAllowAnyHeaders(boolean allowAnyHeader) {
- this.allowAnyHeaders = allowAnyHeader;
- }
-
+
}
Modified: cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java (original)
+++ cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/AnnotatedCorsServer.java Wed Mar 14 13:16:09 2012
@@ -34,6 +34,7 @@ import javax.ws.rs.core.Response;
import org.apache.cxf.rs.security.cors.CorsHeaderConstants;
import org.apache.cxf.rs.security.cors.CrossOriginResourceSharing;
+import org.apache.cxf.rs.security.cors.LocalPreflight;
/**
* Service bean with no class-level annotation for cross-script control.
@@ -73,7 +74,7 @@ public class AnnotatedCorsServer {
@OPTIONS
@Path("/delete")
- @CrossOriginResourceSharing(localPreflight = true)
+ @LocalPreflight
public Response deleteOptions() {
String origin = headers.getRequestHeader("Origin").get(0);
if ("http://area51.mil:3333".equals(origin)) {
Modified: cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java (original)
+++ cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/cors/ConfigServer.java Wed Mar 14 13:16:09 2012
@@ -40,10 +40,7 @@ public class ConfigServer {
@Path("/setOriginList")
@Produces("text/plain")
public String setOriginList(String[] origins) {
- if (origins == null || origins.length == 0) {
- inputFilter.setAllowAllOrigins(true);
- } else {
- inputFilter.setAllowAllOrigins(false);
+ if (origins != null) {
inputFilter.setAllowOrigins(Arrays.asList(origins));
}
return "ok";
Modified: cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml?rev=1300535&r1=1300534&r2=1300535&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/jaxrs/src/test/resources/jaxrs_cors/WEB-INF/beans.xml Wed Mar 14 13:16:09 2012
@@ -21,9 +21,7 @@ http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd">
<import resource="classpath:/META-INF/cxf/cxf.xml" />
- <bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
- <property name="allowAllOrigins" value="true" />
- </bean>
+ <bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/>
<jaxrs:server id="unann-cors-service" address="/untest">
<jaxrs:serviceBeans>