diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AccessControlResponseFilter.java b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AccessControlResponseFilter.java index e466b8b9f..0fba361bf 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AccessControlResponseFilter.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AccessControlResponseFilter.java @@ -33,6 +33,7 @@ import org.slf4j.LoggerFactory; @Priority(Priorities.HEADER_DECORATOR) public class AccessControlResponseFilter implements ContainerResponseFilter { + private static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials"; private static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods"; //$NON-NLS-1$ private static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers"; //$NON-NLS-1$ private static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers"; //$NON-NLS-1$ @@ -79,7 +80,8 @@ public class AccessControlResponseFilter implements ContainerResponseFilter { // and set the allowed HTTP headers and methods headers.add(ACCESS_CONTROL_ALLOW_HEADERS, "Authorization, Origin, X-Requested-With, Content-Type"); //$NON-NLS-1$ - headers.add(ACCESS_CONTROL_EXPOSE_HEADERS, "Location, Content-Disposition"); //$NON-NLS-1$ + headers.add(ACCESS_CONTROL_EXPOSE_HEADERS, "Authorization, Location, Content-Disposition"); //$NON-NLS-1$ headers.add(ACCESS_CONTROL_ALLOW_METHODS, "POST, PUT, GET, DELETE, HEAD, OPTIONS"); //$NON-NLS-1$ + headers.add(ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"); //$NON-NLS-1$ } } \ No newline at end of file diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationRequestFilter.java b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenticationRequestFilter.java similarity index 85% rename from li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationRequestFilter.java rename to li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenticationRequestFilter.java index 2edebbce6..4a5645c4a 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationRequestFilter.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenticationRequestFilter.java @@ -18,8 +18,9 @@ package li.strolch.rest.filters; import static li.strolch.rest.StrolchRestfulConstants.STROLCH_CERTIFICATE; import java.io.IOException; -import java.util.ArrayList; +import java.util.HashSet; import java.util.List; +import java.util.Set; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; @@ -43,12 +44,14 @@ import li.strolch.utils.helper.StringHelper; * @author Robert von Burg */ @Provider -public class AuthenicationRequestFilter implements ContainerRequestFilter { +public class AuthenticationRequestFilter implements ContainerRequestFilter { - private static final Logger logger = LoggerFactory.getLogger(AuthenicationRequestFilter.class); + private static final Logger logger = LoggerFactory.getLogger(AuthenticationRequestFilter.class); - protected List getUnsecuredPaths() { - List list = new ArrayList<>(); + private Set unsecuredPaths; + + protected Set getUnsecuredPaths() { + Set list = new HashSet<>(); list.add("strolch/authentication"); return list; } @@ -59,7 +62,14 @@ public class AuthenicationRequestFilter implements ContainerRequestFilter { List matchedURIs = requestContext.getUriInfo().getMatchedURIs(); // we allow unauthorized access to the authentication service - if (matchedURIs.stream().anyMatch(s -> getUnsecuredPaths().contains(s))) { + if (this.unsecuredPaths == null) + this.unsecuredPaths = getUnsecuredPaths(); + if (matchedURIs.stream().anyMatch(s -> this.unsecuredPaths.contains(s))) { + return; + } + + // we have to allow OPTIONS for CORS + if (requestContext.getMethod().equals("OPTIONS")) { return; } @@ -93,7 +103,7 @@ public class AuthenicationRequestFilter implements ContainerRequestFilter { Certificate certificate = sessionHandler.validate(sessionId); requestContext.setProperty(STROLCH_CERTIFICATE, certificate); } catch (Exception e) { - logger.error(e.getMessage(), e); + logger.error(e.getMessage()); requestContext.abortWith( Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN) .entity("User cannot access the resource.").build()); //$NON-NLS-1$ diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationResponseFilter.java b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenticationResponseFilter.java similarity index 95% rename from li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationResponseFilter.java rename to li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenticationResponseFilter.java index 00a1f3c39..50eba7490 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenicationResponseFilter.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/filters/AuthenticationResponseFilter.java @@ -32,7 +32,7 @@ import li.strolch.privilege.model.Certificate; * @author Robert von Burg */ @Provider -public class AuthenicationResponseFilter implements ContainerResponseFilter { +public class AuthenticationResponseFilter implements ContainerResponseFilter { @Override public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)