All geek questions in one place

Spring - Restaasy - Cors Double Access-Control-Allow-Origin header in response

I am setting up a web application with Spring 3 and Resteasy; since my resources require authentication, I am not allowed to use * as Access-Control-Allow-Origin. Therefore i tuned

org.jboss.resteasy.plugins.interceptors.CorsFilter

with the right domain of origin. This works with the desktop client (Paw for Mac Os and others), but not with the browser (Chrome); the problem is that the answer contains a double value for Access-Control-Allow-Origin, that is, the one I configured, and "*".

CorsFilter is not to blame, because even if you have configured more than one source, it always puts only one value for the header, the one that requested the request.

I just have no idea who puts this extra (and wrong) headline, any idea on where I could look? Note that the double header is found in GET requests, but not in OPTIONS requests.

+4
source share
4 answers

Finally, I found that there is a native MessageBodyWriterInterceptor in the classpath that makes the wrong header of the add; now it's on me to remove it. One thing that I found out is that if something happens only when there is a body to write, the rendering pipeline is definitely a good starting point

0
source

, , ?

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

public SimpleCorsFilter() {
}

@Override
public void doFilter(ServletRequest req,
                     ServletResponse res,
                     FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "X-Requested-With, Authorization, Content-Type");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }

}
+1

:

CorsFilter web.xml:

<context-param>
    <param-name>resteasy.providers</param-name>
    <param-value>org.jboss.resteasy.plugins.interceptors.CorsFilter</param-value>
</context-param>

, CORS, , , CorsFilter, RestEasy, URL-, *, .

, RestEasy Spring Integration, org.jboss.resteasy.spi.ResteasyProviderFactory, :

@Autowired
private ResteasyProviderFactory processor;

, @PostConstruct, CorsFilter ResteasyProviderFactory, :

@PostConstruct
public void setUp() {
    ContainerRequestFilter[] requestFilters = processor.getContainerRequestFilterRegistry().preMatch();
    CorsFilter filter = (CorsFilter) Iterables.getLast(Iterables.filter(Arrays.asList(requestFilters), Predicates.instanceOf(CorsFilter.class)));
    filter.getAllowedOrigins().add("*");
}

P.S.: :

  • Spring Framework 3.2.18.RELEASE
  • RestEasy 3.0.12.Final

, !

0

, , , , Spring + Reasteasy.

web.xml:

<context-param>
    <param-name>resteasy.providers</param-name>
    <param-value>package.to.your.cors.CORSFilter</param-value>
</context-param>

Java CORSFilter,

package package.to.your.cors;

import java.io.IOException;

import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.ext.Provider;

@Provider
public class CORSFilter implements ContainerResponseFilter {

    @Override
    public void filter(final ContainerRequestContext requestContext,
                       final ContainerResponseContext cres) throws IOException {
        cres.getHeaders().add("Access-Control-Allow-Origin", "*");
        cres.getHeaders().add("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
        cres.getHeaders().add("Access-Control-Allow-Headers", "X-Auth-Token, Content-Type");
        cres.getHeaders().add("Access-Control-Max-Age", "4800");
    }

}

.

PS: s_bighead, , .

0

Source: https://habr.com/ru/post/1622910/

More articles:


All Articles