Discussion:
X-HTTP-Method-Override and CrossOriginResourceSharingFilter
Sebastien Arod
2018-10-31 13:01:05 UTC
Permalink
Hi,

I have a single page application running in the browser that interacts with
a cxf rest api. The application javascript code and the REST api are served
by different servers so I configured CrossOriginResourceSharingFilter and
everything works fine.

However in order to workaround an issue with a proxy not supporting PATCH
method I configured my client code to rewrite PATCH request to POST +
X-HTTP-Method-Override:PATCH.

The problem is that POST + X-HTTP-Method-Override:PATCH doesn't seem to
play well with CrossOriginResourceSharingFilter because
CrossOriginResourceSharingFilter tries to lookup a REST resource doing POST
instead of PATCH and so the preflight request is rejected.

Looking at the CrossOriginResourceSharingFilter code I found the there is a
findResourceMethod configuration can be used to skip the lookup of the
resource method and it seems to work when I configure
findResourceMethod=true.

So I have 3 questions:

- Is this property supposed to be used for such situations?
- What do I loose when configuring findResourceMethod=true except the
check that ?
- Shouldn't CrossOriginResourceSharingFilter skip or loosen the resource
lookup by default if the preflight request contains a
X-HTTP-Method-Override in "Access-Control-Request-Headers"?

Thanks,
-Seb

Loading...