Re: [tomcat] branch master updated: https://bz.apache.org/bugzilla/show_bug.cgi?id=63937 allowCorsPreflight

Mon, 02 Dec 2019 12:09:01 -0800 

On 02/12/2019 19:48, Michael Osipov wrote:
> Am 2019-12-02 um 18:51 schrieb ma...@apache.org:

<snip/>

>> ------------------------------------------------------------- Properties
>>   +    public String getAllowCorsPreflight() {
>> +        return allowCorsPreflight.name().toLowerCase();
>> +    }
>> +
>> +    public void setAllowCorsPreflight(String allowCorsPreflight) {
>> +        this.allowCorsPreflight =
>> AllowCorsPreflight.valueOf(allowCorsPreflight.trim().toUpperCase());
>> +    }
>> +
> 
> toLowerCase() and toUpperCase() should be locale-agnostic.

They should be forced to ENGLISH. I'll get that fixed.

>> +            if (log.isDebugEnabled()) {
>> +                log.debug(" CORS Preflight request bypassing
>> authentication");
>                              ^^
>                              Is that space intended?

Yes. For consistency with surrounding messages. The file is not
consistent though. Removal of all leading spaces in debug messages is
probably the right choice here as that would be consistent with the
majority of debug messages in Tomcat.


>> +                                                        if
>> ("/*".equals(urlPattern)) {
> So basically, if I have applied the CorsFilter to "/api/* it will
> evaluate to false?! 

Correct - if you are using "filter". If you use "always" it won't reach
those tests.

> This is why I brought up BZ 63938.
> You see no other way to make it an exact match a not blanket?

Not easily, no. You'd essentially have to recreate large chunks of
ApplicationFilterFactory.

>> --- a/webapps/docs/config/valve.xml
>> +++ b/webapps/docs/config/valve.xml
>> @@ -1201,6 +1201,21 @@
>>         <attributes>
>>   +      <attribute name="allowCorsPreflight" required="false">
>> +        <p>Are requests that appear to be CORS preflight requests
>> allowed to
>> +        bypass the authenticator as required by the CORS
>> specification. The
>> +        allowed values are <code>never</code>, <code>filter</code> and
>> +        <code>always</code>. <code>never</code> means that a request
>> will never
>> +        bypass authentication even if it appears to be a CORS
>> preflight request.
>> +        <code>filter</code> means that a request will bypass
>> authentication if
>> +        it appears to be a CORS preflight request and the web
>> application the
>> +        request maps to has the <a href="filter.html#CORS_Filter">CORS
> 
> I have the feeling that some word is either wrong or missing here: ...
> and the web application the request maps ...

Looks fine to me.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to