Clean up places where CORS headers are declared - Related to #718

hapi-fhir-base/src/main/java/ca/uhn/fhir/rest/api/Constants.java

@@ -31,6 +31,16 @@ public class Constants {
 	public static final String CHARSET_NAME_UTF8 = "UTF-8";
 	public static final Charset CHARSET_UTF8;
 	public static final String CHARSET_UTF8_CTSUFFIX = "; charset=" + CHARSET_NAME_UTF8;
+	/**
+	 * Contains a standard set of headers which are used by FHIR / HAPI FHIR, and therefore
+	 * would make a useful set for CORS AllowedHeader declarations
+	 */
+	public static final Set<String> CORS_ALLOWED_HEADERS;
+	/**
+	 * Contains a standard set of HTTP Methods which are used by FHIR / HAPI FHIR, and therefore
+	 * would make a useful set for CORS AllowedMethod declarations
+	 */
+	public static final Set<String> CORS_ALLWED_METHODS;
 	public static final String CT_FHIR_JSON = "application/json+fhir";
 	public static final String CT_FHIR_JSON_NEW = "application/fhir+json";
 	public static final String CT_FHIR_XML = "application/xml+fhir";
@@ -181,8 +191,7 @@ public class Constants {
 	static {
 		CHARSET_UTF8 = Charset.forName(CHARSET_NAME_UTF8);
 
-		HashMap<Integer, String> statusNames = new HashMap<Integer, String>();
-
+		HashMap<Integer, String> statusNames = new HashMap<>();
 		statusNames.put(200, "OK");
 		statusNames.put(201, "Created");
 		statusNames.put(202, "Accepted");
@@ -247,11 +256,31 @@ public class Constants {
 		statusNames.put(511, "Network Authentication Required");
 		HTTP_STATUS_NAMES = Collections.unmodifiableMap(statusNames);
 		
-		Set<String> formatsHtml = new HashSet<String>();
+		Set<String> formatsHtml = new HashSet<>();
 		formatsHtml.add(CT_HTML);
 		formatsHtml.add(FORMAT_HTML);
 		FORMATS_HTML = Collections.unmodifiableSet(formatsHtml);
-		
+
+		// *********************************************************
+		// Update CorsInterceptor's constructor documentation if you change these:
+		// *********************************************************
+		HashSet<String> corsAllowedHeaders = new HashSet<>();
+		corsAllowedHeaders.add("Accept");
+		corsAllowedHeaders.add("Access-Control-Request-Headers");
+		corsAllowedHeaders.add("Access-Control-Request-Method");
+		corsAllowedHeaders.add("Cache-Control");
+		corsAllowedHeaders.add("Content-Type");
+		corsAllowedHeaders.add("Origin");
+		corsAllowedHeaders.add("Prefer");
+		corsAllowedHeaders.add("X-Requested-With");
+		CORS_ALLOWED_HEADERS = Collections.unmodifiableSet(corsAllowedHeaders);
+
+		// *********************************************************
+		// Update CorsInterceptor's constructor documentation if you change these:
+		// *********************************************************
+		HashSet<String> corsAllowedMethods = new HashSet<>();
+		corsAllowedMethods.addAll(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
+		CORS_ALLWED_METHODS = Collections.unmodifiableSet(corsAllowedMethods);
 	}
 
 }

hapi-fhir-cli/hapi-fhir-cli-jpaserver/src/main/java/ca/uhn/fhir/jpa/demo/JpaServerDemo.java

@@ -142,20 +142,7 @@ public class JpaServerDemo extends RestfulServer {
 		setPagingProvider(new FifoMemoryPagingProvider(10));
 
 		// Register a CORS filter
-		CorsConfiguration config = new CorsConfiguration();
-		CorsInterceptor corsInterceptor = new CorsInterceptor(config);
-		config.addAllowedHeader("x-fhir-starter");
-		config.addAllowedHeader("Origin");
-		config.addAllowedHeader("Accept");
-		config.addAllowedHeader("Prefer");
-		config.addAllowedHeader("X-Requested-With");
-		config.addAllowedHeader("Content-Type");
-		config.addAllowedHeader("Access-Control-Request-Method");
-		config.addAllowedHeader("Access-Control-Request-Headers");
-		config.addAllowedOrigin("*");
-		config.addExposedHeader("Location");
-		config.addExposedHeader("Content-Location");
-		config.setAllowedMethods(Arrays.asList("GET","POST","PUT","DELETE","OPTIONS"));
+		CorsInterceptor corsInterceptor = new CorsInterceptor();
 		registerInterceptor(corsInterceptor);
 
 		/*

hapi-fhir-jpaserver-uhnfhirtest/src/main/java/ca/uhn/fhirtest/TestRestfulServer.java

@@ -173,19 +173,7 @@ public class TestRestfulServer extends RestfulServer {
 		/*
 		 * Enable CORS
 		 */
-		CorsConfiguration config = new CorsConfiguration();
-		CorsInterceptor corsInterceptor = new CorsInterceptor(config);
-		config.addAllowedHeader("Origin");
-		config.addAllowedHeader("Accept");
-		config.addAllowedHeader("X-Requested-With");
-		config.addAllowedHeader("Content-Type");
-		config.addAllowedHeader("Access-Control-Request-Method");
-		config.addAllowedHeader("Access-Control-Request-Headers");
-		config.addAllowedHeader("Cache-Control");
-		config.addAllowedOrigin("*");
-		config.addExposedHeader("Location");
-		config.addExposedHeader("Content-Location");
-		config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
+		CorsInterceptor corsInterceptor = new CorsInterceptor();
 		registerInterceptor(corsInterceptor);
 
 		/*

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/interceptor/CorsInterceptor.java

@@ -21,11 +21,13 @@ package ca.uhn.fhir.rest.server.interceptor;
  */
 
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Arrays;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import ca.uhn.fhir.rest.api.Constants;
 import org.apache.commons.lang3.Validate;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsProcessor;
@@ -44,14 +46,16 @@ public class CorsInterceptor extends InterceptorAdapter {
 	 * a FHIR server. This includes:
 	 * <ul>
 	 * <li>Allowed Origin: *</li>
-	 * <li>Allowed Header: Origin</li>
 	 * <li>Allowed Header: Accept</li>
-	 * <li>Allowed Header: X-Requested-With</li>
-	 * <li>Allowed Header: Content-Type</li>
-	 * <li>Allowed Header: Access-Control-Request-Method</li>
 	 * <li>Allowed Header: Access-Control-Request-Headers</li>
-	 * <li>Exposed Header: Location</li>
+	 * <li>Allowed Header: Access-Control-Request-Method</li>
+	 * <li>Allowed Header: Cache-Control</li>
 	 * <li>Exposed Header: Content-Location</li>
+	 * <li>Allowed Header: Content-Type</li>
+	 * <li>Exposed Header: Location</li>
+	 * <li>Allowed Header: Origin</li>
+	 * <li>Allowed Header: Prefer</li>
+	 * <li>Allowed Header: X-Requested-With</li>
 	 * </ul>
 	 * Note that this configuration is useful for quickly getting CORS working, but
 	 * in a real production system you probably want to consider whether it is
@@ -108,21 +112,14 @@ public class CorsInterceptor extends InterceptorAdapter {
 	private static CorsConfiguration createDefaultCorsConfig() {
 		CorsConfiguration retVal = new CorsConfiguration();
 
-		// *********************************************************
-		// Update constructor documentation if you change these:
-		// *********************************************************
+		retVal.setAllowedHeaders(new ArrayList<>(Constants.CORS_ALLOWED_HEADERS));
+		retVal.setAllowedMethods(new ArrayList<>(Constants.CORS_ALLWED_METHODS));
 
-		retVal.addAllowedHeader("Origin");
-		retVal.addAllowedHeader("Accept");
-		retVal.addAllowedHeader("X-Requested-With");
-		retVal.addAllowedHeader("Content-Type");
-		retVal.addAllowedHeader("Access-Control-Request-Method");
-		retVal.addAllowedHeader("Access-Control-Request-Headers");
-		retVal.addAllowedHeader("Cache-Control");
-		retVal.addAllowedOrigin("*");
-		retVal.addExposedHeader("Location");
 		retVal.addExposedHeader("Content-Location");
-		retVal.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
+		retVal.addExposedHeader("Location");
+
+		retVal.addAllowedOrigin("*");
+
 
 		return retVal;
 	}

src/changes/changes.xml

@@ -158,7 +158,7 @@
 				Michael Lawley for the pull request!
 			</action>
 			<action type="add">
-				Add <![CDATA[<code>Prefer</code>]]> to the list of headers which are declared as
+				Add <![CDATA[<code>Prefer</code> and <code>Cache-Control</code>]]> to the list of headers which are declared as
 				being acceptable for CORS requests in CorsInterceptor, CLI, and JPA Example.
 				Thanks to Patrick Werner for the pull request!
 			</action>