Uploaded image for project: 'Magnolia REST Framework'
  1. Magnolia REST Framework
  2. MGNLREST-81

CORS preflight requests are throwing DefaultOptionsMethodException: No resource method found for options

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 1.1.2
    • integration
    • None
    • Java 1.8.0_45
      Tomcat 7.0.64

    Description

      When using CORS for REST requests, the rest easy integration module is throwing an exception in case of non-simple preflight requests. For example when issuing a GET request with custom headers from a different domain.

      Exception thrown (Full stacktrace attached):

      ERROR info.magnolia.rest.RestExceptionMapper            : Exception thrown executing REST endpoint, returning 500
      org.jboss.resteasy.spi.DefaultOptionsMethodException: No resource method found for options, return OK with Allow header
      	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:366)
      	at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114)
      	at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
      	at org.jboss.resteasy.core.registry.RootClassNode.match(RootClassNode.java:48)
      	at org.jboss.resteasy.core.ResourceMethodRegistry.getResourceInvoker(ResourceMethodRegistry.java:444)
      	at org.jboss.resteasy.core.SynchronousDispatcher.getInvoker(SynchronousDispatcher.java:234)
      	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:171)
      

      Steps to reproduce:

      1. Configure at least 2 different domains on your local. For example: www.test1.com and www.test2.com.
      2. Enable OPTIONS method in IPSecurityManager: /server/IPConfig/allow-all@methods:GET,POST,PUT,DELETE,OPTIONS
      3. Enable the unofficial Magnolia CORS filter with GET and OPTIONS as allowed methods: /server/filters/cors@allowMethods:GET, OPTIONS. Its important to configure properly the bypasses option. For example: pattern:/.rest to have it enabled for all rest requests.
      4. Give web access permissions (GET) for rest requests to rest role in Security app.
      5. Using www.test1.com as the public instance, create a page with the following AngularJS request:
        $http.get('http://www.test2.com:8080/magnoliaPublic/.rest/nodes/v1/workspace', {headers: {'TEST': 'TEST'}})
      6. The browser (Chrome in this example) will try to issue an OPTIONS request which will throw the exception attached.

      An example AngularJS page is attached in order to test this scenario.

      The step number 3 can be omitted and rest-integration will still throw the exception, just the CORS headers wont be added on the HTTP 500 response.

      Its important to notice that this only happens when adding a custom header (or any other preflight use case) like TEST:TEST in this example. If the same request has no custom headers, the rest-integration module will exetute the resteasy endpoint correctly and the CORS filter will add the appropriate headers.

      Checklists

        Acceptance criteria

        Attachments

          1. contactList.ftl
            2 kB
          2. contactList.yaml
            0.1 kB
          3. RestCorsFilter.java
            0.6 kB
          4. restEasyException.log
            10 kB

          Issue Links

            Activity

              People

                Unassigned Unassigned
                ebguilbert Edwin Guilbert
                Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD