[jira] [Commented] (CXF-4615) OAuthRequestFilter.java should ignore HTTP OPTIONS verb

Tue, 06 Nov 2012 09:48:13 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-4615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13491648#comment-13491648
 ] 

Sergey Beryozkin commented on CXF-4615:
---------------------------------------

If OPTIONS request is not part of the browser doing CORS preflight then the 
filter can not just get OPTIONS pass by, right ? It could be an actual OAuth 
client trying to use OPTIONS and I guess we may have a case of a rogue client 
trying to use OPTIONS and the fact the JAX-RS are required to return a list of 
supported HTTP verbs in response to OPTIONS, thus, unless it is a local 
preflight, the filter has to block it, unless it is actually issued by a client 
whose access token can be validated.

If no CORS support is required (as in say with authorization code flow) then no 
CORS filter will be needed.

You do not have to use CORS filter at all if it seems like an extra headache 
:-), simply extend OAuthRequestFiler and override its handleRequest() and let 
the request proceed for OPTIONS, but if this OPTIONS is indeed part of CORS 
preflight then using the CORS filter is better because it will take care of 
preparing a proper preflight response, and generally speaking will not 
interfere with the actual OAuth flow.

Does it help ? 


                
> OAuthRequestFilter.java should ignore HTTP OPTIONS verb
> -------------------------------------------------------
>
>                 Key: CXF-4615
>                 URL: https://issues.apache.org/jira/browse/CXF-4615
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6.2, 2.7.0
>            Reporter: Steven Tippetts
>            Priority: Critical
>
> In handleRequest of OAuthRequestFilter.java at line 54 something similar to 
> the following should be added:
> if (((String)m.get(Message.HTTP_REQUEST_METHOD)).equals("OPTIONS")) return 
> null;
> This will skip any HTTP OPTIONS verb requests. I'm getting the OPTIONS verb 
> request when using an OAuth 2 javascript client.
> I haven't found a way in the configuration to specify that OPTIONS requests 
> should skip this filter.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to