3

How can I configure the Apache CXF CrossOriginResourceSharingFilter without changing the source code (annotated class or beans.xml)?

In the JAX-RS: CORS example the configuration is hard-coded:

Here is the test code showing how CrossOriginResourceSharing annotations can be applied at the resource and individual method levels.

[...]

@GET
@CrossOriginResourceSharing(
     allowOrigins = { "http://area51.mil:31415" }, 
     allowCredentials = true, 
     exposeHeaders = { "X-custom-3", "X-custom-4" }
)
@Produces("text/plain")
@Path("/annotatedGet/{echo}")
public String annotatedGet(@PathParam("echo") String echo) {
    return echo;
}

I use beans.xml to configure the allowOrigins property:

<bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
    <property name="allowOrigins">
        <list>
            <value>myserver1</value>
            <value>myserver2</value>
        </list>
    </property>
</bean>

I thought I could get the property from JNDI, but it is not allowed to add a List (see Servlet Specification 2.5). And I need a way to configure an empty List for CORS *. 

<bean id="cors-filter"
    class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
    <property name="allowOrigins"><
        <jee:jndi-lookup jndi-name="CORS/origins"/>
    </property>
</bean>

What is the intended/preferred way to configure the CrossOriginResourceSharingFilter in a reusable WAR?

dur
  • 15,689
  • 25
  • 79
  • 125

1 Answers1

3

What if you use some environment variable to set a comma separated list of origins like this:

<bean id="cors-filter"
    class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
        <property name="allowOrigins" value="#{systemProperties['origins'] != null ? systemProperties['origins'].split(',') : null}"> 
    </property>
</bean>
  • this is a tested code

And pass -Dorigins=or1,or2,... to JVM (or don't pass to get null value)

If you need to pass an empty list in configuration you can edit code like this (replace null with {} in property value):

<bean id="cors-filter"
    class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
         <property name="prop" value="#{systemProperties['test'] != null ? systemProperties['test'].split(',') : {}}">
         </property>
</bean>

this way,if you don't add -Dorigins to Java VM Options, an empty list will be used.

Based on Spring EL Documentation you can use all object methods:

As an example of method invocation, we call the 'concat' method on the string literal. Expression exp = parser.parseExpression("'Hello World'.concat('!')");

Shirin Safaeian
  • 950
  • 6
  • 18