ajax - Apache Tomcat 8.5.2 + Resteasy CORS 过滤器突然停止工作

Question

我有一个在嵌入式 Apache Tomcat (8.5.2) 实例上运行的 JAX-RS 应用程序(RestEasy，3.1.2.Final)。这是一个公共(public) REST 服务，所以我从 RestEasy 添加了一个 CORS 过滤器:

import org.jboss.resteasy.plugins.interceptors.CorsFilter;

@Override
    public Set<Object> getSingletons() {
        Set<Object> singletons = new LinkedHashSet<>();

        // = = = CORS = = =
        CorsFilter cors = getCorsFilter();
        singletons.add(cors);

        //...

        return singletons;
    }

    private CorsFilter getCorsFilter() {
        CorsFilter cors = new CorsFilter();
        cors.getAllowedOrigins().add("*");
        cors.setAllowCredentials(true);
        cors.setAllowedMethods("GET,POST,PUT,DELETE,HEAD");
        cors.setCorsMaxAge(1209600);
        cors.setAllowedHeaders("Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Accept-Encoding,Accept-Language,Access-Control-Request-Method,Cache-Control,Connection,Host,Referer,User-Agent");
        return cors;
    }

在 web.xml 中也定义了一个安全约束:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Tango RESTful gateway</web-resource-name>
            <url-pattern>/rest/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>HEAD</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>desy-user</role-name>
            <role-name>mtango-rest</role-name>
        </auth-constraint>
    </security-constraint>

在此设置中，一切正常，但只有几周。几周后，CORS 预检失败并显示 401 而不是正常序列:

要求:

Host: mstatus.esrf.fr
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: https://ingvord.github.io
DNT: 1
Connection: keep-alive

响应:

Connection: Keep-Alive
Content-Length: 62
Content-Type: application/octet-stream
Date: Sun, 17 Sep 2017 07:28:19 GMT
Keep-Alive: timeout=5, max=85
Server: Apache-Coyote/1.1

显然 CORS 过滤器不再执行 - 没有它设置的响应 header 。

这种行为的原因可能是什么？重新启动后它再次工作了几周。

申请链接:https://ingvord.github.io/tango-controls.demo/

提前致谢

Answer 1

显然，web.xml 中的以下额外配置似乎已经解决了这个问题:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>CORS preflight</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
</security-constraint>

好吧，至少我们在很长一段时间内没有观察到任何不当行为。