Author: bimargulies Date: Thu Dec 22 13:52:43 2011 New Revision: 1222231 URL: http://svn.apache.org/viewvc?rev=1222231&view=rev Log: CXF-3998: add an additional flag (and annotation param) to make it easier to deal with browser confusion on Access-Control-Allow-Headers.
Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java?rev=1222231&r1=1222230&r2=1222231&view=diff ============================================================================== --- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java (original) +++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java Thu Dec 22 13:52:43 2011 @@ -59,6 +59,12 @@ public @interface CrossOriginResourceSha * in an actual request. */ String[] allowHeaders() default { }; + + /** + * Act as if whatever headers are listed in the Access-Control-Request-Headers are + * listed in allowHeaders. Convenient for dealing with Browser bugs. + */ + boolean allowAnyHeaders() default false; /** * If true, this resource will return * <pre>Access-Control-Allow-Credentials: true</pre> Modified: cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java?rev=1222231&r1=1222230&r2=1222231&view=diff ============================================================================== --- cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java (original) +++ cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java Thu Dec 22 13:52:43 2011 @@ -84,6 +84,7 @@ public class CrossOriginResourceSharingF private Integer maxAge; private Integer preflightFailStatus = 200; private boolean defaultOptionsMethodsHandlePreflight; + private boolean allowAnyHeaders; private CrossOriginResourceSharing getAnnotation(OperationResourceInfo ori) { @@ -209,9 +210,9 @@ public class CrossOriginResourceSharingF CrossOriginResourceSharing ann = method.getAnnotation(CrossOriginResourceSharing.class); ann = ann == null ? optionAnn : ann; - if (ann == null) { - return createPreflightResponse(m, false); - } + /* We aren't required to have any annotation at all. If no annotation, + * the properties of this filter make all the decisions. + */ // 5.2.2 must be on the list or we must be matching *. boolean effectiveAllowAllOrigins = effectiveAllowAllOrigins(ann); @@ -226,7 +227,7 @@ public class CrossOriginResourceSharingF // This was indirectly enforced by getCorsMethod() // 5.2.6 reject if the header is not listed. - if (!effectiveAllowHeaders(ann).containsAll(requestHeaders)) { + if (!effectiveAllowAnyHeaders(ann) && !effectiveAllowHeaders(ann).containsAll(requestHeaders)) { return createPreflightResponse(m, false); } @@ -394,6 +395,14 @@ public class CrossOriginResourceSharingF } } + private boolean effectiveAllowAnyHeaders(CrossOriginResourceSharing ann) { + if (ann != null) { + return ann.allowAnyHeaders(); + } else { + return allowAnyHeaders; + } + } + private List<String> effectiveAllowHeaders(CrossOriginResourceSharing ann) { if (ann != null) { if (ann.allowHeaders() == null) { @@ -570,7 +579,7 @@ public class CrossOriginResourceSharingF /** * Preflight error response status, default is 200. * - * @param status + * @param status HTTP status code. */ public void setPreflightErrorStatus(Integer status) { this.preflightFailStatus = status; @@ -593,4 +602,19 @@ public class CrossOriginResourceSharingF this.defaultOptionsMethodsHandlePreflight = defaultOptionsMethodsHandlePreflight; } + public boolean isAllowAnyHeaders() { + return allowAnyHeaders; + } + + /** + * Completely relax the Access-Control-Request-Headers check. + * Any headers in this header will be permitted. Handy for + * dealing with Chrome / Firefox / Safari incompatibilities. + * @param allowAnyHeader whether to allow any header. If <tt>false</tt>, + * respect the allowHeaders property. + */ + public void setAllowAnyHeaders(boolean allowAnyHeader) { + this.allowAnyHeaders = allowAnyHeader; + } + }