[ofbiz-plugins] branch trunk updated (a343812 -> 510239a)

This is an automated email from the ASF dual-hosted git repository.

grv pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git.


    from a343812  Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
     new 45e246b  Improved: Added CORS filter for the rest-api (OFBIZ-12220). Thanks Alexander Gepting for the contribution.
     new 510239a  Improved: Added CORS filter for the rest-api (OFBIZ-12220). Thanks Alexander Gepting for the contribution.

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../ofbiz/ws/rs/security/auth/APICorsFilter.java   | 84 ++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java

This is an automated email from the ASF dual-hosted git repository.

grv pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit 45e246bce0afb4cc3214a7cf08b43e45911354a0
Author: Girish Vasmatkar <[hidden email]>
AuthorDate: Tue Apr 6 10:37:03 2021 +0530

    Improved: Added CORS filter for the rest-api (OFBIZ-12220).
    Thanks Alexander Gepting for the contribution.
---
 .../ofbiz/ws/rs/security/auth/APICorsFilter.java   | 87 ++++++++++++++++++++++
 1 file changed, 87 insertions(+)

diff --git a/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java b/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java
new file mode 100644
index 0000000..958da7a
--- /dev/null
+++ b/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java
@@ -0,0 +1,87 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *******************************************************************************/
+package org.apache.ofbiz.ws.rs.security.auth;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.container.ContainerResponseFilter;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.ext.Provider;
+
+import org.apache.catalina.filters.CorsFilter;
+import org.apache.ofbiz.base.util.UtilMisc;
+import org.apache.ofbiz.base.util.UtilValidate;
+
+/**
+ * Read https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS for more details
+ */
+
+@Provider
+@Priority(Priorities.HEADER_DECORATOR)
+public class APICorsFilter implements ContainerResponseFilter {
+
+    // check security.properties file for 'host-headers-allowed'
+    private static final List<String> allowedHostHeaders = UtilMisc.getHostHeadersAllowed();
+
+    @Override
+    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
+            throws IOException {
+        MultivaluedMap<String, Object> responseHeaders = responseContext.getHeaders();
+
+        if (UtilValidate.isNotEmpty(allowedHostHeaders)) {
+            // the list is quite short, hence return the single entry without further checks
+            if (allowedHostHeaders.size() < 2) {
+                responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, allowedHostHeaders.get(0));
+            } else {
+                // get the request origin from request context and localize it in the list
+                String origin = requestContext.getHeaderString(CorsFilter.REQUEST_HEADER_ORIGIN);
+                // return the origin in case it's part of the allowed hosts list
+                if (UtilValidate.isNotEmpty(origin) && allowedHostHeaders.contains(origin)) {
+                    responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+                } else {
+                    // pick up the first one from the allowed hosts list in case the request origin is not listed there
+                    responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, allowedHostHeaders.get(0));
+                }
+            }
+        }
+
+        // credentials support is enabled per default
+        responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, true);
+
+        // publish supported request header field names
+        responseHeaders.addAll(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
+                HttpHeaders.CONTENT_TYPE,
+                HttpHeaders.AUTHORIZATION
+        );
+
+        // inform about all the supported methods. Itemize these due to the lack of support for the wildcard (*)
+        // in few browsers, e.g. in 'Safari' resp. 'FF for Android'
+        responseHeaders.addAll(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS,
+                HttpMethod.GET, HttpMethod.PATCH,
+                HttpMethod.PUT, HttpMethod.POST,
+                HttpMethod.DELETE, HttpMethod.OPTIONS);
+    }
+}

This is an automated email from the ASF dual-hosted git repository.

grv pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit 510239a5f2ac8458de7f31cd4f5ea0a10e2da8f7
Author: Girish Vasmatkar <[hidden email]>
AuthorDate: Tue Apr 6 11:16:52 2021 +0530

    Improved: Added CORS filter for the rest-api (OFBIZ-12220).
    Thanks Alexander Gepting for the contribution.
---
 .../apache/ofbiz/ws/rs/security/auth/APICorsFilter.java | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java b/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java
index 958da7a..1348f3b 100644
--- a/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java
+++ b/rest-api/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APICorsFilter.java
@@ -44,26 +44,26 @@ import org.apache.ofbiz.base.util.UtilValidate;
 public class APICorsFilter implements ContainerResponseFilter {
 
     // check security.properties file for 'host-headers-allowed'
-    private static final List<String> allowedHostHeaders = UtilMisc.getHostHeadersAllowed();
+    private static final List<String> ALLOWED_HOST_HEADERS = UtilMisc.getHostHeadersAllowed();
 
     @Override
     public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
             throws IOException {
         MultivaluedMap<String, Object> responseHeaders = responseContext.getHeaders();
 
-        if (UtilValidate.isNotEmpty(allowedHostHeaders)) {
+        if (UtilValidate.isNotEmpty(ALLOWED_HOST_HEADERS)) {
             // the list is quite short, hence return the single entry without further checks
-            if (allowedHostHeaders.size() < 2) {
-                responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, allowedHostHeaders.get(0));
+            if (ALLOWED_HOST_HEADERS.size() < 2) {
+                responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, ALLOWED_HOST_HEADERS.get(0));
             } else {
                 // get the request origin from request context and localize it in the list
                 String origin = requestContext.getHeaderString(CorsFilter.REQUEST_HEADER_ORIGIN);
                 // return the origin in case it's part of the allowed hosts list
-                if (UtilValidate.isNotEmpty(origin) && allowedHostHeaders.contains(origin)) {
+                if (UtilValidate.isNotEmpty(origin) && ALLOWED_HOST_HEADERS.contains(origin)) {
                     responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, origin);
                 } else {
                     // pick up the first one from the allowed hosts list in case the request origin is not listed there
-                    responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, allowedHostHeaders.get(0));
+                    responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, ALLOWED_HOST_HEADERS.get(0));
                 }
             }
         }
@@ -72,10 +72,7 @@ public class APICorsFilter implements ContainerResponseFilter {
         responseHeaders.add(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, true);
 
         // publish supported request header field names
-        responseHeaders.addAll(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS,
-                HttpHeaders.CONTENT_TYPE,
-                HttpHeaders.AUTHORIZATION
-        );
+        responseHeaders.addAll(CorsFilter.RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, HttpHeaders.CONTENT_TYPE, HttpHeaders.AUTHORIZATION);
 
         // inform about all the supported methods. Itemize these due to the lack of support for the wildcard (*)
         // in few browsers, e.g. in 'Safari' resp. 'FF for Android'