...
Span | |
---|---|
|
|
...
JAX-RS: |
...
CORS |
Table of Contents |
---|
Introduction
CXF 2.5.1
...
introduces
...
the
...
...
...
for
...
the
...
...
...
...
specification
...
that
...
"defines
...
a
...
mechanism
...
to
...
enable
...
client-side
...
cross-origin
...
requests".
...
This
...
...
...
provides
...
a
...
very
...
good
...
explanation
...
of
...
CORS.
...
Please
...
see
...
the
...
...
for
...
a
...
good
...
introduction
...
to
...
CORS
...
and
...
the
...
way
...
it
...
is
...
supported
...
in
...
CXF
...
JAX-RS.
...
Note
...
that
...
the
...
...
...
uses
...
the
...
JAX-RS
...
selection
...
algorithm
...
to
...
ensure
...
that
...
the
...
JAX-RS
...
resource
...
method
...
capable
...
of
...
handling
...
the
...
request
...
does
...
exist.
...
Maven
...
dependencies
Code Block | ||||
---|---|---|---|---|
| ||||
{code:xml}
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-rs-security-cors</artifactId>
<version>2.6.1</version>
</dependency>
|
Examples
Here is the test code showing how CrossOriginResourceSharing annotations can be applied at the resource and individual method levels.
Note that an origin is restricted to "http://area51.mil:31415" by the 'allowOrigins' property, which may contain multiple URI values. A boolean 'allowAllOrigins' property can be used instead (to simplify the testing or when it is deemed it is secure enough within a given environment to allow for all the origins).
Code Block | ||||
---|---|---|---|---|
| ||||
{code} h1. Examples Here is the test code showing how [CrossOriginResourceSharing|http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java] annotations can be applied at the resource and individual method levels: {code:java} @CrossOriginResourceSharing( allowOrigins = { "http://area51.mil:31415" }, allowCredentials = true, maxAge = 1, allowHeaders = { "X-custom-1", "X-custom-2" }, exposeHeaders = { "X-custom-3", "X-custom-4" } ) public class AnnotatedCorsServer { @Context private HttpHeaders headers; @GET @Produces("text/plain") @Path("/simpleGet/{echo}") public String simpleGet(@PathParam("echo") String echo) { return echo; } @POST @Produces("application/json") @Consumes("application/json") @Path("/unannotatedPost") public Response postSomething() { return Response.ok().build(); } @DELETE @Path("/delete") public Response deleteSomething() { return Response.ok().build(); } // This method will do a preflight check itself @OPTIONS @Path("/") @LocalPreflight public Response options() { String origin = headers.getRequestHeader("Origin").get(0); if ("http://area51.mil:3333".equals(origin)) { return Response.ok() .header(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, "DELETE PUT") .header(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, "false") .header(CorsHeaderConstants.HEADER_AC_ALLOW_ORIGIN, "http://area51.mil:3333") .build(); } else { return Response.ok().build(); } } @GET @CrossOriginResourceSharing( allowOrigins = { "http://area51.mil:31415" }, allowCredentials = true, exposeHeaders = { "X-custom-3", "X-custom-4" } ) @Produces("text/plain") @Path("/annotatedGet/{echo}") public String annotatedGet(@PathParam("echo") String echo) { return echo; } /** * A method annotated to test preflight. * * @param input * @return */ @PUT @Consumes("text/plain") @Produces("text/plain") @Path("/annotatedPut") public String annotatedPut(String input) { return input; } } {code} |
The
...
server
...
configuration
...
fragment:
Code Block | ||||
---|---|---|---|---|
| ||||
<beans> {code:xml} <beans> <bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/> <jaxrs:server id="service" address="/rest"> <jaxrs:serviceBeans> <ref bean="cors-server" /> </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="cors-filter" /> </jaxrs:providers> </jaxrs:server> <bean id="cors-server" scope="prototype" class="org.apache.cxf.systest.jaxrs.cors.AnnotatedCorsServer" /> </beans> {code} |