From 15c27b1364f7538b39fe95ffdacf822e22c06e11 Mon Sep 17 00:00:00 2001
From: Giovanni Meo
Date: Wed, 28 Aug 2013 08:46:55 +0000
Subject: [PATCH] Reverting because it caused instability to the northbound,
wondering why verify didn't catch those.
Revert "Added CorsFilter to enable secure cross site scripting"
This reverts commit 8cbcc63bbb004b50c66ce3c65d0b8d7943c8ffac
Change-Id: I41e292b91dfff6c7ceefe33f92f63c081ca2e499
---
.../distribution/opendaylight/pom.xml | 1 -
.../northbound/flowprogrammer/pom.xml | 8 +-
.../src/main/resources/WEB-INF/web.xml | 61 +-
opendaylight/northbound/hosttracker/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 59 +-
.../networkconfiguration/bridgedomain/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 59 +-
opendaylight/northbound/staticrouting/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 63 +-
opendaylight/northbound/statistics/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 59 +-
opendaylight/northbound/subnets/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 59 +-
opendaylight/northbound/switchmanager/pom.xml | 7 +-
.../src/main/resources/WEB-INF/web.xml | 59 +-
opendaylight/northbound/topology/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 59 +-
.../samples/northbound/loadbalancer/pom.xml | 6 -
.../src/main/resources/WEB-INF/web.xml | 59 +-
opendaylight/web/root/pom.xml | 8 +-
.../root/src/main/resources/WEB-INF/web.xml | 74 +-
.../README | 12 -
.../pom.xml | 64 -
.../apache/catalina/filters/CorsFilter.java | 1166 -----------------
24 files changed, 114 insertions(+), 1805 deletions(-)
delete mode 100644 third-party/org.apache.catalina.filters.CorsFilter/README
delete mode 100644 third-party/org.apache.catalina.filters.CorsFilter/pom.xml
delete mode 100644 third-party/org.apache.catalina.filters.CorsFilter/src/main/java/org/apache/catalina/filters/CorsFilter.java
diff --git a/opendaylight/distribution/opendaylight/pom.xml b/opendaylight/distribution/opendaylight/pom.xml
index 4dc4e6fa2e..abf508efc2 100644
--- a/opendaylight/distribution/opendaylight/pom.xml
+++ b/opendaylight/distribution/opendaylight/pom.xml
@@ -68,7 +68,6 @@
../../../third-party/net.sf.jung2
../../../third-party/jersey-servlet
../../../third-party/commons/thirdparty
- ../../../third-party/org.apache.catalina.filters.CorsFilter
../../sal/api
diff --git a/opendaylight/northbound/flowprogrammer/pom.xml b/opendaylight/northbound/flowprogrammer/pom.xml
index 201bf477ee..94991c573e 100644
--- a/opendaylight/northbound/flowprogrammer/pom.xml
+++ b/opendaylight/northbound/flowprogrammer/pom.xml
@@ -43,8 +43,7 @@
org.opendaylight.controller.northbound.commons.utils,
org.opendaylight.controller.sal.authorization,
org.opendaylight.controller.usermanager,
- com.sun.jersey.spi.container.servlet,
- org.apache.catalina.filters,
+ com.sun.jersey.spi.container.servlet,
javax.ws.rs,
javax.ws.rs.core,
javax.xml.bind.annotation,
@@ -97,10 +96,5 @@
com.sun.jersey.jersey-servlet
1.17-SNAPSHOT
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/flowprogrammer/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/flowprogrammer/src/main/resources/WEB-INF/web.xml
index 5b3cec2292..4cedf2df89 100644
--- a/opendaylight/northbound/flowprogrammer/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/flowprogrammer/src/main/resources/WEB-INF/web.xml
@@ -18,56 +18,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
@@ -87,4 +48,4 @@
BASIC
opendaylight
-
+
\ No newline at end of file
diff --git a/opendaylight/northbound/hosttracker/pom.xml b/opendaylight/northbound/hosttracker/pom.xml
index b588c0715b..40aaf462ad 100644
--- a/opendaylight/northbound/hosttracker/pom.xml
+++ b/opendaylight/northbound/hosttracker/pom.xml
@@ -51,7 +51,6 @@
javax.xml.bind.annotation,
javax.xml.bind,
org.slf4j,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
/controller/nb/v2/host
@@ -97,10 +96,5 @@
enunciate-core-annotations
${enunciate.version}
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/hosttracker/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/hosttracker/src/main/resources/WEB-INF/web.xml
index 01b8fedce1..0fa8b95dd0 100644
--- a/opendaylight/northbound/hosttracker/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/hosttracker/src/main/resources/WEB-INF/web.xml
@@ -17,56 +17,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/northbound/networkconfiguration/bridgedomain/pom.xml b/opendaylight/northbound/networkconfiguration/bridgedomain/pom.xml
index 8cb1320043..cba14fdc78 100644
--- a/opendaylight/northbound/networkconfiguration/bridgedomain/pom.xml
+++ b/opendaylight/northbound/networkconfiguration/bridgedomain/pom.xml
@@ -52,7 +52,6 @@
javax.ws.rs.core,
javax.xml.bind.annotation,
javax.xml.bind,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
@@ -105,10 +104,5 @@
com.sun.jersey.jersey-servlet
1.17-SNAPSHOT
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/networkconfiguration/bridgedomain/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/networkconfiguration/bridgedomain/src/main/resources/WEB-INF/web.xml
index f4de222acc..b7f35c3f96 100644
--- a/opendaylight/northbound/networkconfiguration/bridgedomain/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/networkconfiguration/bridgedomain/src/main/resources/WEB-INF/web.xml
@@ -17,56 +17,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ BridgeDomain Configuration NorthBound API
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/northbound/staticrouting/pom.xml b/opendaylight/northbound/staticrouting/pom.xml
index fa9341f681..bb88465907 100644
--- a/opendaylight/northbound/staticrouting/pom.xml
+++ b/opendaylight/northbound/staticrouting/pom.xml
@@ -50,7 +50,6 @@
javax.ws.rs.core,
javax.xml.bind.annotation,
javax.xml.bind,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
@@ -93,10 +92,5 @@
com.sun.jersey.jersey-servlet
1.17-SNAPSHOT
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/staticrouting/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/staticrouting/src/main/resources/WEB-INF/web.xml
index 0bf186b50e..4a040c1a1f 100644
--- a/opendaylight/northbound/staticrouting/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/staticrouting/src/main/resources/WEB-INF/web.xml
@@ -13,60 +13,21 @@
- JAXRSStaticRouting
- /*
+ JAXRSStaticRouting
+ /*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/northbound/statistics/pom.xml b/opendaylight/northbound/statistics/pom.xml
index db4c4a9413..cad50e2998 100644
--- a/opendaylight/northbound/statistics/pom.xml
+++ b/opendaylight/northbound/statistics/pom.xml
@@ -58,7 +58,6 @@
javax.xml.bind.annotation,
javax.xml.bind,
org.slf4j,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
@@ -101,10 +100,5 @@
enunciate-core-annotations
${enunciate.version}
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/statistics/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/statistics/src/main/resources/WEB-INF/web.xml
index db0460ba56..f152aa75a2 100644
--- a/opendaylight/northbound/statistics/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/statistics/src/main/resources/WEB-INF/web.xml
@@ -17,56 +17,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/northbound/subnets/pom.xml b/opendaylight/northbound/subnets/pom.xml
index 43b8f9ebb0..a3931beadd 100644
--- a/opendaylight/northbound/subnets/pom.xml
+++ b/opendaylight/northbound/subnets/pom.xml
@@ -65,7 +65,6 @@
javax.xml.bind,
javax.xml.bind.annotation,
org.slf4j,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
@@ -108,10 +107,5 @@
enunciate-core-annotations
${enunciate.version}
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/subnets/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/subnets/src/main/resources/WEB-INF/web.xml
index a5c70ee9d8..f7eccef666 100644
--- a/opendaylight/northbound/subnets/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/subnets/src/main/resources/WEB-INF/web.xml
@@ -16,56 +16,17 @@
JAXRSSubnets
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/northbound/switchmanager/pom.xml b/opendaylight/northbound/switchmanager/pom.xml
index dd7ff9a75b..556c964055 100644
--- a/opendaylight/northbound/switchmanager/pom.xml
+++ b/opendaylight/northbound/switchmanager/pom.xml
@@ -51,7 +51,6 @@
javax.xml.bind.annotation,
javax.xml.bind,
org.slf4j,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
/controller/nb/v2/switch
@@ -103,10 +102,6 @@
enunciate-core-annotations
${enunciate.version}
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
+
diff --git a/opendaylight/northbound/switchmanager/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/switchmanager/src/main/resources/WEB-INF/web.xml
index ea6fcc99b2..188b21b24d 100644
--- a/opendaylight/northbound/switchmanager/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/switchmanager/src/main/resources/WEB-INF/web.xml
@@ -17,56 +17,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/northbound/topology/pom.xml b/opendaylight/northbound/topology/pom.xml
index 007bdbebdc..726f7975f0 100644
--- a/opendaylight/northbound/topology/pom.xml
+++ b/opendaylight/northbound/topology/pom.xml
@@ -54,7 +54,6 @@
javax.xml.bind,
javax.xml.bind.annotation,
org.slf4j,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
/controller/nb/v2/topology
@@ -95,10 +94,5 @@
com.sun.jersey.jersey-servlet
1.17-SNAPSHOT
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/northbound/topology/src/main/resources/WEB-INF/web.xml b/opendaylight/northbound/topology/src/main/resources/WEB-INF/web.xml
index bc818c8c6d..a46e433054 100644
--- a/opendaylight/northbound/topology/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/northbound/topology/src/main/resources/WEB-INF/web.xml
@@ -17,56 +17,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/samples/northbound/loadbalancer/pom.xml b/opendaylight/samples/northbound/loadbalancer/pom.xml
index ed078a0551..dc23940d55 100644
--- a/opendaylight/samples/northbound/loadbalancer/pom.xml
+++ b/opendaylight/samples/northbound/loadbalancer/pom.xml
@@ -51,7 +51,6 @@
javax.xml.bind.annotation,
javax.xml.bind,
org.slf4j,
- org.apache.catalina.filters,
!org.codehaus.enunciate.jaxrs
/one/nb/v2/lb
@@ -97,10 +96,5 @@
enunciate-core-annotations
${enunciate.version}
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/samples/northbound/loadbalancer/src/main/resources/WEB-INF/web.xml b/opendaylight/samples/northbound/loadbalancer/src/main/resources/WEB-INF/web.xml
index 0e8f8c1b56..aac4647de6 100644
--- a/opendaylight/samples/northbound/loadbalancer/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/samples/northbound/loadbalancer/src/main/resources/WEB-INF/web.xml
@@ -17,56 +17,17 @@
/*
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- NB api
- /*
- POST
- GET
- PUT
- PATCH
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+
+ NB api
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/opendaylight/web/root/pom.xml b/opendaylight/web/root/pom.xml
index 809751d443..ed899c5b5c 100644
--- a/opendaylight/web/root/pom.xml
+++ b/opendaylight/web/root/pom.xml
@@ -73,8 +73,7 @@
org.springframework.web.servlet.view.json,
org.springframework.web.filter,
org.springframework.web.context,
- org.springframework.util,
- org.apache.catalina.filters
+ org.springframework.util
org.opendaylight.controller.web
@@ -149,10 +148,5 @@
3.2.1.RELEASE
provided
-
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
-
diff --git a/opendaylight/web/root/src/main/resources/WEB-INF/web.xml b/opendaylight/web/root/src/main/resources/WEB-INF/web.xml
index 0c5cb3ac27..557b9c74f5 100644
--- a/opendaylight/web/root/src/main/resources/WEB-INF/web.xml
+++ b/opendaylight/web/root/src/main/resources/WEB-INF/web.xml
@@ -6,66 +6,28 @@
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
-
- CorsFilter
- org.apache.catalina.filters.CorsFilter
-
- cors.allowed.origins
- *
-
-
- cors.allowed.methods
- GET,POST,HEAD,OPTIONS,PUT
-
-
- cors.allowed.headers
- Content-Type,X-Requested-With,accept,authorization, origin,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
-
-
- cors.exposed.headers
- Access-Control-Allow-Origin,Access-Control-Allow-Credentials
-
-
- cors.support.credentials
- true
-
-
- cors.preflight.maxage
- 10
-
-
-
- CorsFilter
- /*
-
-
-
- free access
- /js/*
- /images/*
- /css/*
- /favicon.ico
-
+
+ free access
+ /js/*
+ /images/*
+ /css/*
+ /favicon.ico
+
- RootApp
-
- RootGUI
- /*
- POST
- GET
- PUT
- DELETE
- HEAD
-
-
- System-Admin
- Network-Admin
- Network-Operator
- Container-User
-
+ RootApp
+
+ RootGUI
+ /*
+
+
+ System-Admin
+ Network-Admin
+ Network-Operator
+ Container-User
+
diff --git a/third-party/org.apache.catalina.filters.CorsFilter/README b/third-party/org.apache.catalina.filters.CorsFilter/README
deleted file mode 100644
index e2d22abe1a..0000000000
--- a/third-party/org.apache.catalina.filters.CorsFilter/README
+++ /dev/null
@@ -1,12 +0,0 @@
-See: http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
-And: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
-This is done to allow a web page using javascript to be able to make calls
-to our REST APIs even though it does not originate in our domain.
-
-This bundle just rolls up org.apache.catalina.filters.CorsFilter and adds it as a
-fragment to the org.apache.catalina bundle.
-
-The reason this is necessary is because the CorsFilter class was originally added
-at Tomcat 7.0.42, and we are using 7.0.32. As the CorsFilter class is a simple one,
-with very few dependencies, this seemed the best way to bring it in.
-
diff --git a/third-party/org.apache.catalina.filters.CorsFilter/pom.xml b/third-party/org.apache.catalina.filters.CorsFilter/pom.xml
deleted file mode 100644
index 0789d50443..0000000000
--- a/third-party/org.apache.catalina.filters.CorsFilter/pom.xml
+++ /dev/null
@@ -1,64 +0,0 @@
-
-
-
-
- org.opendaylight.controller
- commons.thirdparty
- 1.1.0-SNAPSHOT
- ../commons/thirdparty
-
- 4.0.0
- org.opendaylight.controller.thirdparty
- org.apache.catalina.filters.CorsFilter
- 7.0.42-SNAPSHOT
- bundle
-
-
-
- org.apache.felix
- maven-bundle-plugin
- 2.3.6
- true
-
-
-
- org.apache.catalina
-
-
- javax.servlet,
- javax.servlet.http,
- org.apache.catalina.filters,
- org.apache.juli.logging,
- org.apache.tomcat.util.res,
- org.apache.catalina.comet,
- org.apache.tomcat.util
-
-
- ${project.basedir}/META-INF
-
-
-
-
-
-
- equinoxSDK381
- javax.servlet
- 3.0.0.v201112011016
-
-
- orbit
- org.apache.juli.extras
- 7.0.32.v201211081135
-
-
- orbit
- org.apache.tomcat.util
- 7.0.32.v201211201952
-
-
- orbit
- org.apache.catalina
- 7.0.32.v201211201336
-
-
-
diff --git a/third-party/org.apache.catalina.filters.CorsFilter/src/main/java/org/apache/catalina/filters/CorsFilter.java b/third-party/org.apache.catalina.filters.CorsFilter/src/main/java/org/apache/catalina/filters/CorsFilter.java
deleted file mode 100644
index 8069c9939c..0000000000
--- a/third-party/org.apache.catalina.filters.CorsFilter/src/main/java/org/apache/catalina/filters/CorsFilter.java
+++ /dev/null
@@ -1,1166 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.catalina.filters;
-
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Set;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.catalina.filters.Constants;
-import org.apache.juli.logging.Log;
-import org.apache.juli.logging.LogFactory;
-import org.apache.tomcat.util.res.StringManager;
-
-/**
- *
- * A {@link Filter} that enable client-side cross-origin requests by
- * implementing W3C's CORS (Cross-Origin Resource
- * Sharing) specification for resources. Each {@link HttpServletRequest}
- * request is inspected as per specification, and appropriate response headers
- * are added to {@link HttpServletResponse}.
- *
- *
- *
- * By default, it also sets following request attributes, that help to
- * determine the nature of the request downstream.
- *
- * - cors.isCorsRequest: Flag to determine if the request is a CORS
- * request. Set to
true
if a CORS request; false
- * otherwise.
- * - cors.request.origin: The Origin URL, i.e. the URL of the page from
- * where the request is originated.
- * -
- * cors.request.type: Type of request. Possible values:
- *
- * - SIMPLE: A request which is not preceded by a pre-flight request.
- * - ACTUAL: A request which is preceded by a pre-flight request.
- * - PRE_FLIGHT: A pre-flight request.
- * - NOT_CORS: A normal same-origin request.
- * - INVALID_CORS: A cross-origin request which is invalid.
- *
- *
- * - cors.request.headers: Request headers sent as
- * 'Access-Control-Request-Headers' header, for pre-flight request.
- *
- *
- *
- * @see CORS specification
- *
- */
-public final class CorsFilter implements Filter {
-
- private static final Log log = LogFactory.getLog(CorsFilter.class);
-
- private static final StringManager sm =
- StringManager.getManager(Constants.Package);
-
-
- /**
- * A {@link Collection} of origins consisting of zero or more origins that
- * are allowed access to the resource.
- */
- private final Collection allowedOrigins;
-
- /**
- * Determines if any origin is allowed to make request.
- */
- private boolean anyOriginAllowed;
-
- /**
- * A {@link Collection} of methods consisting of zero or more methods that
- * are supported by the resource.
- */
- private final Collection allowedHttpMethods;
-
- /**
- * A {@link Collection} of headers consisting of zero or more header field
- * names that are supported by the resource.
- */
- private final Collection allowedHttpHeaders;
-
- /**
- * A {@link Collection} of exposed headers consisting of zero or more header
- * field names of headers other than the simple response headers that the
- * resource might use and can be exposed.
- */
- private final Collection exposedHeaders;
-
- /**
- * A supports credentials flag that indicates whether the resource supports
- * user credentials in the request. It is true when the resource does and
- * false otherwise.
- */
- private boolean supportsCredentials;
-
- /**
- * Indicates (in seconds) how long the results of a pre-flight request can
- * be cached in a pre-flight result cache.
- */
- private long preflightMaxAge;
-
- /**
- * Determines if the request should be decorated or not.
- */
- private boolean decorateRequest;
-
-
- public CorsFilter() {
- this.allowedOrigins = new HashSet();
- this.allowedHttpMethods = new HashSet();
- this.allowedHttpHeaders = new HashSet();
- this.exposedHeaders = new HashSet();
- }
-
-
- @Override
- public void doFilter(final ServletRequest servletRequest,
- final ServletResponse servletResponse, final FilterChain filterChain)
- throws IOException, ServletException {
- if (!(servletRequest instanceof HttpServletRequest) ||
- !(servletResponse instanceof HttpServletResponse)) {
- throw new ServletException(sm.getString("corsFilter.onlyHttp"));
- }
-
- // Safe to downcast at this point.
- HttpServletRequest request = (HttpServletRequest) servletRequest;
- HttpServletResponse response = (HttpServletResponse) servletResponse;
-
- // Determines the CORS request type.
- CorsFilter.CORSRequestType requestType = checkRequestType(request);
-
- // Adds CORS specific attributes to request.
- if (decorateRequest) {
- CorsFilter.decorateCORSProperties(request, requestType);
- }
- switch (requestType) {
- case SIMPLE:
- // Handles a Simple CORS request.
- this.handleSimpleCORS(request, response, filterChain);
- break;
- case ACTUAL:
- // Handles an Actual CORS request.
- this.handleSimpleCORS(request, response, filterChain);
- break;
- case PRE_FLIGHT:
- // Handles a Pre-flight CORS request.
- this.handlePreflightCORS(request, response, filterChain);
- break;
- case NOT_CORS:
- // Handles a Normal request that is not a cross-origin request.
- this.handleNonCORS(request, response, filterChain);
- break;
- default:
- // Handles a CORS request that violates specification.
- this.handleInvalidCORS(request, response, filterChain);
- break;
- }
- }
-
-
- @Override
- public void init(final FilterConfig filterConfig) throws ServletException {
- // Initialize defaults
- parseAndStore(DEFAULT_ALLOWED_ORIGINS, DEFAULT_ALLOWED_HTTP_METHODS,
- DEFAULT_ALLOWED_HTTP_HEADERS, DEFAULT_EXPOSED_HEADERS,
- DEFAULT_SUPPORTS_CREDENTIALS, DEFAULT_PREFLIGHT_MAXAGE,
- DEFAULT_DECORATE_REQUEST);
-
- if (filterConfig != null) {
- String configAllowedOrigins = filterConfig
- .getInitParameter(PARAM_CORS_ALLOWED_ORIGINS);
- String configAllowedHttpMethods = filterConfig
- .getInitParameter(PARAM_CORS_ALLOWED_METHODS);
- String configAllowedHttpHeaders = filterConfig
- .getInitParameter(PARAM_CORS_ALLOWED_HEADERS);
- String configExposedHeaders = filterConfig
- .getInitParameter(PARAM_CORS_EXPOSED_HEADERS);
- String configSupportsCredentials = filterConfig
- .getInitParameter(PARAM_CORS_SUPPORT_CREDENTIALS);
- String configPreflightMaxAge = filterConfig
- .getInitParameter(PARAM_CORS_PREFLIGHT_MAXAGE);
- String configDecorateRequest = filterConfig
- .getInitParameter(PARAM_CORS_REQUEST_DECORATE);
-
- parseAndStore(configAllowedOrigins, configAllowedHttpMethods,
- configAllowedHttpHeaders, configExposedHeaders,
- configSupportsCredentials, configPreflightMaxAge,
- configDecorateRequest);
- }
- }
-
-
- /**
- * Handles a CORS request of type {@link CORSRequestType}.SIMPLE.
- *
- * @param request
- * The {@link HttpServletRequest} object.
- * @param response
- * The {@link HttpServletResponse} object.
- * @param filterChain
- * The {@link FilterChain} object.
- * @throws IOException
- * @throws ServletException
- * @see Simple
- * Cross-Origin Request, Actual Request, and Redirects
- */
- protected void handleSimpleCORS(final HttpServletRequest request,
- final HttpServletResponse response, final FilterChain filterChain)
- throws IOException, ServletException {
-
- CorsFilter.CORSRequestType requestType = checkRequestType(request);
- if (!(requestType == CorsFilter.CORSRequestType.SIMPLE ||
- requestType == CorsFilter.CORSRequestType.ACTUAL)) {
- throw new IllegalArgumentException(
- sm.getString("corsFilter.wrongType2",
- CorsFilter.CORSRequestType.SIMPLE,
- CorsFilter.CORSRequestType.ACTUAL));
- }
-
- final String origin = request
- .getHeader(CorsFilter.REQUEST_HEADER_ORIGIN);
- final String method = request.getMethod();
-
- // Section 6.1.2
- if (!isOriginAllowed(origin)) {
- handleInvalidCORS(request, response, filterChain);
- return;
- }
-
- if (!allowedHttpMethods.contains(method)) {
- handleInvalidCORS(request, response, filterChain);
- return;
- }
-
- // Section 6.1.3
- // Add a single Access-Control-Allow-Origin header.
- if (anyOriginAllowed && !supportsCredentials) {
- // If resource doesn't support credentials and if any origin is
- // allowed
- // to make CORS request, return header with '*'.
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
- "*");
- } else {
- // If the resource supports credentials add a single
- // Access-Control-Allow-Origin header, with the value of the Origin
- // header as value.
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
- origin);
- }
-
- // Section 6.1.3
- // If the resource supports credentials, add a single
- // Access-Control-Allow-Credentials header with the case-sensitive
- // string "true" as value.
- if (supportsCredentials) {
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
- "true");
- }
-
- // Section 6.1.4
- // If the list of exposed headers is not empty add one or more
- // Access-Control-Expose-Headers headers, with as values the header
- // field names given in the list of exposed headers.
- if ((exposedHeaders != null) && (exposedHeaders.size() > 0)) {
- String exposedHeadersString = join(exposedHeaders, ",");
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS,
- exposedHeadersString);
- }
-
- // Forward the request down the filter chain.
- filterChain.doFilter(request, response);
- }
-
-
- /**
- * Handles CORS pre-flight request.
- *
- * @param request
- * The {@link HttpServletRequest} object.
- * @param response
- * The {@link HttpServletResponse} object.
- * @param filterChain
- * The {@link FilterChain} object.
- * @throws IOException
- * @throws ServletException
- */
- protected void handlePreflightCORS(final HttpServletRequest request,
- final HttpServletResponse response, final FilterChain filterChain)
- throws IOException, ServletException {
-
- CORSRequestType requestType = checkRequestType(request);
- if (requestType != CORSRequestType.PRE_FLIGHT) {
- throw new IllegalArgumentException(
- sm.getString("corsFilter.wrongType1",
- CORSRequestType.PRE_FLIGHT.name().toLowerCase()));
- }
-
- final String origin = request
- .getHeader(CorsFilter.REQUEST_HEADER_ORIGIN);
-
- // Section 6.2.2
- if (!isOriginAllowed(origin)) {
- handleInvalidCORS(request, response, filterChain);
- return;
- }
-
- // Section 6.2.3
- String accessControlRequestMethod = request.getHeader(
- CorsFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
- if (accessControlRequestMethod == null ||
- !HTTP_METHODS.contains(accessControlRequestMethod.trim())) {
- handleInvalidCORS(request, response, filterChain);
- return;
- } else {
- accessControlRequestMethod = accessControlRequestMethod.trim();
- }
-
- // Section 6.2.4
- String accessControlRequestHeadersHeader = request.getHeader(
- CorsFilter.REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
- List accessControlRequestHeaders = new LinkedList();
- if (accessControlRequestHeadersHeader != null &&
- !accessControlRequestHeadersHeader.trim().isEmpty()) {
- String[] headers = accessControlRequestHeadersHeader.trim().split(
- ",");
- for (String header : headers) {
- accessControlRequestHeaders.add(header.trim().toLowerCase());
- }
- }
-
- // Section 6.2.5
- if (!allowedHttpMethods.contains(accessControlRequestMethod)) {
- handleInvalidCORS(request, response, filterChain);
- return;
- }
-
- // Section 6.2.6
- if (!accessControlRequestHeaders.isEmpty()) {
- for (String header : accessControlRequestHeaders) {
- if (!allowedHttpHeaders.contains(header)) {
- handleInvalidCORS(request, response, filterChain);
- return;
- }
- }
- }
-
- // Section 6.2.7
- if (supportsCredentials) {
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
- origin);
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS,
- "true");
- } else {
- if (anyOriginAllowed) {
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
- "*");
- } else {
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
- origin);
- }
- }
-
- // Section 6.2.8
- if (preflightMaxAge > 0) {
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE,
- String.valueOf(preflightMaxAge));
- }
-
- // Section 6.2.9
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS,
- accessControlRequestMethod);
-
- // Section 6.2.10
- if ((allowedHttpHeaders != null) && (!allowedHttpHeaders.isEmpty())) {
- response.addHeader(
- CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
- join(allowedHttpHeaders, ","));
- }
-
- // Do not forward the request down the filter chain.
- }
-
-
- /**
- * Handles a request, that's not a CORS request, but is a valid request i.e.
- * it is not a cross-origin request. This implementation, just forwards the
- * request down the filter chain.
- *
- * @param request
- * The {@link HttpServletRequest} object.
- * @param response
- * The {@link HttpServletResponse} object.
- * @param filterChain
- * The {@link FilterChain} object.
- * @throws IOException
- * @throws ServletException
- */
- private void handleNonCORS(final HttpServletRequest request,
- final HttpServletResponse response, final FilterChain filterChain)
- throws IOException, ServletException {
- // Let request pass.
- filterChain.doFilter(request, response);
- }
-
-
- /**
- * Handles a CORS request that violates specification.
- *
- * @param request
- * The {@link HttpServletRequest} object.
- * @param response
- * The {@link HttpServletResponse} object.
- * @param filterChain
- * The {@link FilterChain} object.
- */
- private void handleInvalidCORS(final HttpServletRequest request,
- final HttpServletResponse response, final FilterChain filterChain) {
- String origin = request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN);
- String method = request.getMethod();
- String accessControlRequestHeaders = request.getHeader(
- REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
-
- response.setContentType("text/plain");
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- response.resetBuffer();
-
- if (log.isDebugEnabled()) {
- // Debug so no need for i18n
- StringBuilder message =
- new StringBuilder("Invalid CORS request; Origin=");
- message.append(origin);
- message.append(";Method=");
- message.append(method);
- if (accessControlRequestHeaders != null) {
- message.append(";Access-Control-Request-Headers=");
- message.append(accessControlRequestHeaders);
- }
- log.debug(message.toString());
- }
- }
-
-
- @Override
- public void destroy() {
- // NOOP
- }
-
-
- /**
- * Decorates the {@link HttpServletRequest}, with CORS attributes.
- *
- * - cors.isCorsRequest: Flag to determine if request is a CORS
- * request. Set to
true
if CORS request; false
- * otherwise.
- * - cors.request.origin: The Origin URL.
- * - cors.request.type: Type of request. Values:
- *
simple
or preflight
or not_cors
or
- * invalid_cors
- * - cors.request.headers: Request headers sent as
- * 'Access-Control-Request-Headers' header, for pre-flight request.
- *
- *
- * @param request
- * The {@link HttpServletRequest} object.
- * @param corsRequestType
- * The {@link CORSRequestType} object.
- */
- protected static void decorateCORSProperties(
- final HttpServletRequest request,
- final CORSRequestType corsRequestType) {
- if (request == null) {
- throw new IllegalArgumentException(
- sm.getString("corsFilter.nullRequest"));
- }
-
- if (corsRequestType == null) {
- throw new IllegalArgumentException(
- sm.getString("corsFilter.nullRequestType"));
- }
-
- switch (corsRequestType) {
- case SIMPLE:
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST,
- Boolean.TRUE);
- request.setAttribute(CorsFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN,
- request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN));
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE,
- corsRequestType.name().toLowerCase());
- break;
- case ACTUAL:
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST,
- Boolean.TRUE);
- request.setAttribute(CorsFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN,
- request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN));
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE,
- corsRequestType.name().toLowerCase());
- break;
- case PRE_FLIGHT:
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST,
- Boolean.TRUE);
- request.setAttribute(CorsFilter.HTTP_REQUEST_ATTRIBUTE_ORIGIN,
- request.getHeader(CorsFilter.REQUEST_HEADER_ORIGIN));
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE,
- corsRequestType.name().toLowerCase());
- String headers = request.getHeader(
- REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
- if (headers == null) {
- headers = "";
- }
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS, headers);
- break;
- case NOT_CORS:
- request.setAttribute(
- CorsFilter.HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST,
- Boolean.FALSE);
- break;
- default:
- // Don't set any attributes
- break;
- }
- }
-
-
- /**
- * Joins elements of {@link Set} into a string, where each element is
- * separated by the provided separator.
- *
- * @param elements
- * The {@link Set} containing elements to join together.
- * @param joinSeparator
- * The character to be used for separating elements.
- * @return The joined {@link String}; null
if elements
- * {@link Set} is null.
- */
- protected static String join(final Collection elements,
- final String joinSeparator) {
- String separator = ",";
- if (elements == null) {
- return null;
- }
- if (joinSeparator != null) {
- separator = joinSeparator;
- }
- StringBuilder buffer = new StringBuilder();
- boolean isFirst = true;
- for (String element : elements) {
- if (!isFirst) {
- buffer.append(separator);
- } else {
- isFirst = false;
- }
-
- if (element != null) {
- buffer.append(element);
- }
- }
-
- return buffer.toString();
- }
-
-
- /**
- * Determines the request type.
- *
- * @param request
- */
- protected CORSRequestType checkRequestType(final HttpServletRequest request) {
- CORSRequestType requestType = CORSRequestType.INVALID_CORS;
- if (request == null) {
- throw new IllegalArgumentException(
- sm.getString("corsFilter.nullRequest"));
- }
- String originHeader = request.getHeader(REQUEST_HEADER_ORIGIN);
- // Section 6.1.1 and Section 6.2.1
- if (originHeader != null) {
- if (originHeader.isEmpty()) {
- requestType = CORSRequestType.INVALID_CORS;
- } else if (!isValidOrigin(originHeader)) {
- requestType = CORSRequestType.INVALID_CORS;
- } else {
- String method = request.getMethod();
- if (method != null && HTTP_METHODS.contains(method)) {
- if ("OPTIONS".equals(method)) {
- String accessControlRequestMethodHeader =
- request.getHeader(
- REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
- if (accessControlRequestMethodHeader != null &&
- !accessControlRequestMethodHeader.isEmpty()) {
- requestType = CORSRequestType.PRE_FLIGHT;
- } else if (accessControlRequestMethodHeader != null &&
- accessControlRequestMethodHeader.isEmpty()) {
- requestType = CORSRequestType.INVALID_CORS;
- } else {
- requestType = CORSRequestType.ACTUAL;
- }
- } else if ("GET".equals(method) || "HEAD".equals(method)) {
- requestType = CORSRequestType.SIMPLE;
- } else if ("POST".equals(method)) {
- String contentType = request.getContentType();
- if (contentType != null) {
- contentType = contentType.toLowerCase().trim();
- if (SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
- .contains(contentType)) {
- requestType = CORSRequestType.SIMPLE;
- } else {
- requestType = CORSRequestType.ACTUAL;
- }
- }
- } else if (COMPLEX_HTTP_METHODS.contains(method)) {
- requestType = CORSRequestType.ACTUAL;
- }
- }
- }
- } else {
- requestType = CORSRequestType.NOT_CORS;
- }
-
- return requestType;
- }
-
-
- /**
- * Checks if the Origin is allowed to make a CORS request.
- *
- * @param origin
- * The Origin.
- * @return true
if origin is allowed; false
- * otherwise.
- */
- private boolean isOriginAllowed(final String origin) {
- if (anyOriginAllowed) {
- return true;
- }
-
- // If 'Origin' header is a case-sensitive match of any of allowed
- // origins, then return true, else return false.
- return allowedOrigins.contains(origin);
- }
-
-
- /**
- * Parses each param-value and populates configuration variables. If a param
- * is provided, it overrides the default.
- *
- * @param allowedOrigins
- * A {@link String} of comma separated origins.
- * @param allowedHttpMethods
- * A {@link String} of comma separated HTTP methods.
- * @param allowedHttpHeaders
- * A {@link String} of comma separated HTTP headers.
- * @param exposedHeaders
- * A {@link String} of comma separated headers that needs to be
- * exposed.
- * @param supportsCredentials
- * "true" if support credentials needs to be enabled.
- * @param preflightMaxAge
- * The amount of seconds the user agent is allowed to cache the
- * result of the pre-flight request.
- * @throws ServletException
- */
- private void parseAndStore(final String allowedOrigins,
- final String allowedHttpMethods, final String allowedHttpHeaders,
- final String exposedHeaders, final String supportsCredentials,
- final String preflightMaxAge, final String decorateRequest)
- throws ServletException {
- if (allowedOrigins != null) {
- if (allowedOrigins.trim().equals("*")) {
- this.anyOriginAllowed = true;
- } else {
- this.anyOriginAllowed = false;
- Set setAllowedOrigins =
- parseStringToSet(allowedOrigins);
- this.allowedOrigins.clear();
- this.allowedOrigins.addAll(setAllowedOrigins);
- }
- }
-
- if (allowedHttpMethods != null) {
- Set setAllowedHttpMethods =
- parseStringToSet(allowedHttpMethods);
- this.allowedHttpMethods.clear();
- this.allowedHttpMethods.addAll(setAllowedHttpMethods);
- }
-
- if (allowedHttpHeaders != null) {
- Set setAllowedHttpHeaders =
- parseStringToSet(allowedHttpHeaders);
- Set lowerCaseHeaders = new HashSet();
- for (String header : setAllowedHttpHeaders) {
- String lowerCase = header.toLowerCase();
- lowerCaseHeaders.add(lowerCase);
- }
- this.allowedHttpHeaders.clear();
- this.allowedHttpHeaders.addAll(lowerCaseHeaders);
- }
-
- if (exposedHeaders != null) {
- Set setExposedHeaders = parseStringToSet(exposedHeaders);
- this.exposedHeaders.clear();
- this.exposedHeaders.addAll(setExposedHeaders);
- }
-
- if (supportsCredentials != null) {
- // For any value other then 'true' this will be false.
- this.supportsCredentials = Boolean
- .parseBoolean(supportsCredentials);
- }
-
- if (preflightMaxAge != null) {
- try {
- if (!preflightMaxAge.isEmpty()) {
- this.preflightMaxAge = Long.parseLong(preflightMaxAge);
- } else {
- this.preflightMaxAge = 0L;
- }
- } catch (NumberFormatException e) {
- throw new ServletException(
- sm.getString("corsFilter.invalidPreflightMaxAge"), e);
- }
- }
-
- if (decorateRequest != null) {
- // For any value other then 'true' this will be false.
- this.decorateRequest = Boolean.parseBoolean(decorateRequest);
- }
- }
-
- /**
- * Takes a comma separated list and returns a Set.
- *
- * @param data
- * A comma separated list of strings.
- * @return Set
- */
- private Set parseStringToSet(final String data) {
- String[] splits;
-
- if (data != null && data.length() > 0) {
- splits = data.split(",");
- } else {
- splits = new String[] {};
- }
-
- Set set = new HashSet();
- if (splits.length > 0) {
- for (String split : splits) {
- set.add(split.trim());
- }
- }
-
- return set;
- }
-
-
- /**
- * Checks if a given origin is valid or not. Criteria:
- *
- * - If an encoded character is present in origin, it's not valid.
- * - Origin should be a valid {@link URI}
- *
- *
- * @param origin
- * @see RFC952
- */
- protected static boolean isValidOrigin(String origin) {
- // Checks for encoded characters. Helps prevent CRLF injection.
- if (origin.contains("%")) {
- return false;
- }
-
- URI originURI;
-
- try {
- originURI = new URI(origin);
- } catch (URISyntaxException e) {
- return false;
- }
- // If scheme for URI is null, return false. Return true otherwise.
- return originURI.getScheme() != null;
-
- }
-
-
- /**
- * Determines if any origin is allowed to make CORS request.
- *
- * @return true
if it's enabled; false otherwise.
- */
- public boolean isAnyOriginAllowed() {
- return anyOriginAllowed;
- }
-
-
- /**
- * Returns a {@link Set} of headers that should be exposed by browser.
- */
- public Collection getExposedHeaders() {
- return exposedHeaders;
- }
-
-
- /**
- * Determines is supports credentials is enabled.
- */
- public boolean isSupportsCredentials() {
- return supportsCredentials;
- }
-
-
- /**
- * Returns the preflight response cache time in seconds.
- *
- * @return Time to cache in seconds.
- */
- public long getPreflightMaxAge() {
- return preflightMaxAge;
- }
-
-
- /**
- * Returns the {@link Set} of allowed origins that are allowed to make
- * requests.
- *
- * @return {@link Set}
- */
- public Collection getAllowedOrigins() {
- return allowedOrigins;
- }
-
-
- /**
- * Returns a {@link Set} of HTTP methods that are allowed to make requests.
- *
- * @return {@link Set}
- */
- public Collection getAllowedHttpMethods() {
- return allowedHttpMethods;
- }
-
-
- /**
- * Returns a {@link Set} of headers support by resource.
- *
- * @return {@link Set}
- */
- public Collection getAllowedHttpHeaders() {
- return allowedHttpHeaders;
- }
-
-
- // -------------------------------------------------- CORS Response Headers
- /**
- * The Access-Control-Allow-Origin header indicates whether a resource can
- * be shared based by returning the value of the Origin request header in
- * the response.
- */
- public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN =
- "Access-Control-Allow-Origin";
-
- /**
- * The Access-Control-Allow-Credentials header indicates whether the
- * response to request can be exposed when the omit credentials flag is
- * unset. When part of the response to a preflight request it indicates that
- * the actual request can include user credentials.
- */
- public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS =
- "Access-Control-Allow-Credentials";
-
- /**
- * The Access-Control-Expose-Headers header indicates which headers are safe
- * to expose to the API of a CORS API specification
- */
- public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS =
- "Access-Control-Expose-Headers";
-
- /**
- * The Access-Control-Max-Age header indicates how long the results of a
- * preflight request can be cached in a preflight result cache.
- */
- public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE =
- "Access-Control-Max-Age";
-
- /**
- * The Access-Control-Allow-Methods header indicates, as part of the
- * response to a preflight request, which methods can be used during the
- * actual request.
- */
- public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS =
- "Access-Control-Allow-Methods";
-
- /**
- * The Access-Control-Allow-Headers header indicates, as part of the
- * response to a preflight request, which header field names can be used
- * during the actual request.
- */
- public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS =
- "Access-Control-Allow-Headers";
-
- // -------------------------------------------------- CORS Request Headers
- /**
- * The Origin header indicates where the cross-origin request or preflight
- * request originates from.
- */
- public static final String REQUEST_HEADER_ORIGIN = "Origin";
-
- /**
- * The Access-Control-Request-Method header indicates which method will be
- * used in the actual request as part of the preflight request.
- */
- public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD =
- "Access-Control-Request-Method";
-
- /**
- * The Access-Control-Request-Headers header indicates which headers will be
- * used in the actual request as part of the preflight request.
- */
- public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS =
- "Access-Control-Request-Headers";
-
- // ----------------------------------------------------- Request attributes
- /**
- * The prefix to a CORS request attribute.
- */
- public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX = "cors.";
-
- /**
- * Attribute that contains the origin of the request.
- */
- public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN =
- HTTP_REQUEST_ATTRIBUTE_PREFIX + "request.origin";
-
- /**
- * Boolean value, suggesting if the request is a CORS request or not.
- */
- public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST =
- HTTP_REQUEST_ATTRIBUTE_PREFIX + "isCorsRequest";
-
- /**
- * Type of CORS request, of type {@link CORSRequestType}.
- */
- public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE =
- HTTP_REQUEST_ATTRIBUTE_PREFIX + "request.type";
-
- /**
- * Request headers sent as 'Access-Control-Request-Headers' header, for
- * pre-flight request.
- */
- public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS =
- HTTP_REQUEST_ATTRIBUTE_PREFIX + "request.headers";
-
- // -------------------------------------------------------------- Constants
- /**
- * Enumerates varies types of CORS requests. Also, provides utility methods
- * to determine the request type.
- */
- protected static enum CORSRequestType {
- /**
- * A simple HTTP request, i.e. it shouldn't be pre-flighted.
- */
- SIMPLE,
- /**
- * A HTTP request that needs to be pre-flighted.
- */
- ACTUAL,
- /**
- * A pre-flight CORS request, to get meta information, before a
- * non-simple HTTP request is sent.
- */
- PRE_FLIGHT,
- /**
- * Not a CORS request, but a normal request.
- */
- NOT_CORS,
- /**
- * An invalid CORS request, i.e. it qualifies to be a CORS request, but
- * fails to be a valid one.
- */
- INVALID_CORS
- }
-
- /**
- * {@link Collection} of HTTP methods. Case sensitive.
- *
- * @see http://tools.ietf.org/html/rfc2616#section-5.1.1
- *
- */
- public static final Collection HTTP_METHODS =
- new HashSet(Arrays.asList("OPTIONS", "GET", "HEAD", "POST",
- "PUT", "DELETE", "TRACE", "CONNECT"));
- /**
- * {@link Collection} of non-simple HTTP methods. Case sensitive.
- */
- public static final Collection COMPLEX_HTTP_METHODS =
- new HashSet(Arrays.asList("PUT", "DELETE", "TRACE",
- "CONNECT"));
- /**
- * {@link Collection} of Simple HTTP methods. Case sensitive.
- *
- * @see http://www.w3.org/TR/cors/#terminology
- */
- public static final Collection SIMPLE_HTTP_METHODS =
- new HashSet(Arrays.asList("GET", "POST", "HEAD"));
-
- /**
- * {@link Collection} of Simple HTTP request headers. Case in-sensitive.
- *
- * @see http://www.w3.org/TR/cors/#terminology
- */
- public static final Collection SIMPLE_HTTP_REQUEST_HEADERS =
- new HashSet(Arrays.asList("Accept", "Accept-Language",
- "Content-Language"));
-
- /**
- * {@link Collection} of Simple HTTP request headers. Case in-sensitive.
- *
- * @see http://www.w3.org/TR/cors/#terminology
- */
- public static final Collection SIMPLE_HTTP_RESPONSE_HEADERS =
- new HashSet(Arrays.asList("Cache-Control",
- "Content-Language", "Content-Type", "Expires",
- "Last-Modified", "Pragma"));
-
- /**
- * {@link Collection} of Simple HTTP request headers. Case in-sensitive.
- *
- * @see http://www.w3.org/TR/cors/#terminology
- */
- public static final Collection SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES =
- new HashSet(Arrays.asList(
- "application/x-www-form-urlencoded",
- "multipart/form-data", "text/plain"));
-
- // ------------------------------------------------ Configuration Defaults
- /**
- * By default, all origins are allowed to make requests.
- */
- public static final String DEFAULT_ALLOWED_ORIGINS = "*";
-
- /**
- * By default, following methods are supported: GET, POST, HEAD and OPTIONS.
- */
- public static final String DEFAULT_ALLOWED_HTTP_METHODS =
- "GET,POST,HEAD,OPTIONS";
-
- /**
- * By default, time duration to cache pre-flight response is 30 mins.
- */
- public static final String DEFAULT_PREFLIGHT_MAXAGE = "1800";
-
- /**
- * By default, support credentials is turned on.
- */
- public static final String DEFAULT_SUPPORTS_CREDENTIALS = "true";
-
- /**
- * By default, following headers are supported:
- * Origin,Accept,X-Requested-With, Content-Type,
- * Access-Control-Request-Method, and Access-Control-Request-Headers.
- */
- public static final String DEFAULT_ALLOWED_HTTP_HEADERS =
- "Origin,Accept,X-Requested-With,Content-Type," +
- "Access-Control-Request-Method,Access-Control-Request-Headers";
-
- /**
- * By default, none of the headers are exposed in response.
- */
- public static final String DEFAULT_EXPOSED_HEADERS = "";
-
- /**
- * By default, request is decorated with CORS attributes.
- */
- public static final String DEFAULT_DECORATE_REQUEST = "true";
-
- // ----------------------------------------Filter Config Init param-name(s)
- /**
- * Key to retrieve allowed origins from {@link FilterConfig}.
- */
- public static final String PARAM_CORS_ALLOWED_ORIGINS =
- "cors.allowed.origins";
-
- /**
- * Key to retrieve support credentials from {@link FilterConfig}.
- */
- public static final String PARAM_CORS_SUPPORT_CREDENTIALS =
- "cors.support.credentials";
-
- /**
- * Key to retrieve exposed headers from {@link FilterConfig}.
- */
- public static final String PARAM_CORS_EXPOSED_HEADERS =
- "cors.exposed.headers";
-
- /**
- * Key to retrieve allowed headers from {@link FilterConfig}.
- */
- public static final String PARAM_CORS_ALLOWED_HEADERS =
- "cors.allowed.headers";
-
- /**
- * Key to retrieve allowed methods from {@link FilterConfig}.
- */
- public static final String PARAM_CORS_ALLOWED_METHODS =
- "cors.allowed.methods";
-
- /**
- * Key to retrieve preflight max age from {@link FilterConfig}.
- */
- public static final String PARAM_CORS_PREFLIGHT_MAXAGE =
- "cors.preflight.maxage";
-
- /**
- * Key to determine if request should be decorated.
- */
- public static final String PARAM_CORS_REQUEST_DECORATE =
- "cors.request.decorate";
-}
--
2.36.6