Uploaded image for project: 'Magnolia REST Framework'
  1. Magnolia REST Framework
  2. MGNLREST-81

CORS preflight requests are throwing DefaultOptionsMethodException: No resource method found for options

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 1.1.2
    • integration
    • None
    • Java 1.8.0_45
      Tomcat 7.0.64

      When using CORS for REST requests, the rest easy integration module is throwing an exception in case of non-simple preflight requests. For example when issuing a GET request with custom headers from a different domain.

      Exception thrown (Full stacktrace attached):

      ERROR info.magnolia.rest.RestExceptionMapper            : Exception thrown executing REST endpoint, returning 500
org.jboss.resteasy.spi.DefaultOptionsMethodException: No resource method found for options, return OK with Allow header
	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:366)
	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114)
	at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
	at org.jboss.resteasy.core.registry.RootClassNode.match(RootClassNode.java:48)
	at org.jboss.resteasy.core.ResourceMethodRegistry.getResourceInvoker(ResourceMethodRegistry.java:444)
	at org.jboss.resteasy.core.SynchronousDispatcher.getInvoker(SynchronousDispatcher.java:234)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:171)

      Steps to reproduce:

      1. Configure at least 2 different domains on your local. For example: www.test1.com and www.test2.com.
      2. Enable OPTIONS method in IPSecurityManager: /server/IPConfig/allow-all@methods:GET,POST,PUT,DELETE,OPTIONS
      3. Enable the unofficial Magnolia CORS filter with GET and OPTIONS as allowed methods: /server/filters/cors@allowMethods:GET, OPTIONS. Its important to configure properly the bypasses option. For example: pattern:/.rest to have it enabled for all rest requests.
      4. Give web access permissions (GET) for rest requests to rest role in Security app.
      5. Using www.test1.com as the public instance, create a page with the following AngularJS request: 
        $http.get('http://www.test2.com:8080/magnoliaPublic/.rest/nodes/v1/workspace', {headers: {'TEST': 'TEST'}})
      6. The browser (Chrome in this example) will try to issue an OPTIONS request which will throw the exception attached.

      An example AngularJS page is attached in order to test this scenario.

      The step number 3 can be omitted and rest-integration will still throw the exception, just the CORS headers wont be added on the HTTP 500 response.

      Its important to notice that this only happens when adding a custom header (or any other preflight use case) like TEST:TEST in this example. If the same request has no custom headers, the rest-integration module will exetute the resteasy endpoint correctly and the CORS filter will add the appropriate headers.

        Acceptance criteria

          1. contactList.ftl
            2 kB
          2. contactList.yaml
            0.1 kB
          3. RestCorsFilter.java
            0.6 kB
          4. restEasyException.log
            10 kB

              Unassigned Unassigned
              ebguilbert Edwin Guilbert
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Bug DoR
                  Task DoD