From 35e67c84fac43e64e4b1e2aad9a0aaee666304d6 Mon Sep 17 00:00:00 2001 From: Alexander Reelsen Date: Tue, 5 Aug 2014 17:31:33 +0200 Subject: [PATCH] CORS: Allowed to configure allow-credentials header to work via SSL This adds support to return the "Access-Control-Allow-Credentials" header if needed, so CORS will work flawlessly with authenticated applications. Closes #6380 --- docs/reference/modules/http.asciidoc | 4 ++++ .../http/netty/NettyHttpChannel.java | 15 ++++++++++----- .../http/netty/NettyHttpServerTransport.java | 7 +++++++ .../elasticsearch/rest/CorsRegexDefaultTests.java | 2 ++ .../org/elasticsearch/rest/CorsRegexTests.java | 9 +++++++-- 5 files changed, 30 insertions(+), 7 deletions(-) diff --git a/docs/reference/modules/http.asciidoc b/docs/reference/modules/http.asciidoc index 0bd24a2f39c..49e4e618f6e 100644 --- a/docs/reference/modules/http.asciidoc +++ b/docs/reference/modules/http.asciidoc @@ -57,6 +57,10 @@ be cached for. Defaults to `1728000` (20 days) |`http.cors.allow-headers` |Which headers to allow. Defaults to `X-Requested-With, Content-Type, Content-Length`. +|`http.cors.allow-credentials` | Whether the `Access-Control-Allow-Credentials` +header should be returned. Note: This header is only returned, when the setting is +set to `true`. Defaults to `false` + |======================================================================= diff --git a/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java b/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java index bc269eb7e17..d57e349192b 100644 --- a/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java +++ b/src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java @@ -43,6 +43,7 @@ import java.util.Map; import java.util.Set; import java.util.regex.Pattern; +import static org.elasticsearch.http.netty.NettyHttpServerTransport.*; import static org.jboss.netty.handler.codec.http.HttpHeaders.Names.*; /** @@ -97,20 +98,24 @@ public class NettyHttpChannel extends HttpChannel { resp = new DefaultHttpResponse(HttpVersion.HTTP_1_1, status); } if (RestUtils.isBrowser(nettyRequest.headers().get(USER_AGENT))) { - if (transport.settings().getAsBoolean("http.cors.enabled", true)) { + if (transport.settings().getAsBoolean(SETTING_CORS_ENABLED, true)) { String originHeader = request.header(ORIGIN); if (!Strings.isNullOrEmpty(originHeader)) { if (corsPattern == null) { - resp.headers().add(ACCESS_CONTROL_ALLOW_ORIGIN, transport.settings().get("http.cors.allow-origin", "*")); + resp.headers().add(ACCESS_CONTROL_ALLOW_ORIGIN, transport.settings().get(SETTING_CORS_ALLOW_ORIGIN, "*")); } else { resp.headers().add(ACCESS_CONTROL_ALLOW_ORIGIN, corsPattern.matcher(originHeader).matches() ? originHeader : "null"); } } if (nettyRequest.getMethod() == HttpMethod.OPTIONS) { // Allow Ajax requests based on the CORS "preflight" request - resp.headers().add(ACCESS_CONTROL_MAX_AGE, transport.settings().getAsInt("http.cors.max-age", 1728000)); - resp.headers().add(ACCESS_CONTROL_ALLOW_METHODS, transport.settings().get("http.cors.allow-methods", "OPTIONS, HEAD, GET, POST, PUT, DELETE")); - resp.headers().add(ACCESS_CONTROL_ALLOW_HEADERS, transport.settings().get("http.cors.allow-headers", "X-Requested-With, Content-Type, Content-Length")); + resp.headers().add(ACCESS_CONTROL_MAX_AGE, transport.settings().getAsInt(SETTING_CORS_MAX_AGE, 1728000)); + resp.headers().add(ACCESS_CONTROL_ALLOW_METHODS, transport.settings().get(SETTING_CORS_ALLOW_METHODS, "OPTIONS, HEAD, GET, POST, PUT, DELETE")); + resp.headers().add(ACCESS_CONTROL_ALLOW_HEADERS, transport.settings().get(SETTING_CORS_ALLOW_HEADERS, "X-Requested-With, Content-Type, Content-Length")); + } + + if (transport.settings().getAsBoolean(SETTING_CORS_ALLOW_CREDENTIALS, false)) { + resp.headers().add(ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"); } } } diff --git a/src/main/java/org/elasticsearch/http/netty/NettyHttpServerTransport.java b/src/main/java/org/elasticsearch/http/netty/NettyHttpServerTransport.java index 474cf2274e9..41ad895daf2 100644 --- a/src/main/java/org/elasticsearch/http/netty/NettyHttpServerTransport.java +++ b/src/main/java/org/elasticsearch/http/netty/NettyHttpServerTransport.java @@ -65,6 +65,13 @@ public class NettyHttpServerTransport extends AbstractLifecycleComponent