Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8190

UriBuilder / HttpUtils replaces 127.0.0.1 by localhost

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      If you access a locally running REST endpoint in the brower using the IP address 127.0.0.1 and the REST endpoint implementation is using the UriInfo to build a new URL by the URI builder (e.g. a created resource), the reply will not use the host as accessed (127.0.0.1) but replaces the host by "localhost".

      If the web application then tries to access the location, the browsers will block that request because of a cross origin access.

       

      Assume a very simple REST endpoint:

      @Component(service = { Resource.class }, scope = ServiceScope.PROTOTYPE)
       @JaxrsResource
       public class Resource {
           @POST
           @Path("create")
           @Produces(MediaType.APPLICATION_JSON)
           public Object createTest(@Context final UriInfo uriInfo) {
               final URI uri =
       uriInfo.getBaseUriBuilder().path("foo").path("bar").build();
               return Response.created(uri).build();
           }
       }

      If I call the post method of that endpoint using the URL "http://localhost:8080/create" I get a created location that looks like "http://localhost:8080/foo/bar".

      All fine.

      $ curl -v -X POST http://localhost:8080/create
       *   Trying ::1:8080...
       * TCP_NODELAY set
       * Connected to localhost (::1) port 8080 (#0)
       > POST /create HTTP/1.1
       > Host: localhost:8080
       > User-Agent: curl/7.67.0
       > Accept: */*
       >
       * Mark bundle as not supporting multiuse
       < HTTP/1.1 201 Created
       < Date: Tue, 10 Dec 2019 17:41:47 GMT
       < Location: http://localhost:8080/foo/bar
       < Content-Length: 0
       <
       * Connection #0 to host localhost left intact

      But, I would expect if I access the endpoint using the IP instead of the hostname "http://127.0.0.1:8080/create" the created response's location should look like "http://127.0.0.1:8080/foo/bar".

      But that is not the case...

      The response provides "http://localhost:8080/foo/bar"

      curl -v -X POST http://127.0.0.1:8080/create
       *   Trying 127.0.0.1:8080...
       * TCP_NODELAY set
       * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
       > POST /create HTTP/1.1
       > Host: 127.0.0.1:8080
       > User-Agent: curl/7.67.0
       > Accept: */*
       >
       * Mark bundle as not supporting multiuse
       < HTTP/1.1 201 Created
       < Date: Tue, 10 Dec 2019 17:44:00 GMT
       < Location: http://localhost:8080/foo/bar
       < Content-Length: 0
       <
       * Connection #0 to host 127.0.0.1 left intact

      If the website that is accessed using 127.0.0.1 provides a location using localhost and that one is used by the browser, the browser fails because of CORS.

       

      I already looked at the sources who is causing the change from 127.0.0.1 to localhost and found it:

      After the line https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/impl/UriInfoImpl.java#L83 has been executed the variable u looks like http://127.0.0.1:8080/

      After that "toAbsoluteUri" of HttpUtils is called.
      That's the part of the code that replaces 127.0.0.1 by localhost https://github.com/apache/cxf/blob/cxf-3.2.5/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/HttpUtils.java#L388-L391

      The commit that added that part of code is https://github.com/apache/cxf/commit/ebc910780b2b9b971a7c1c2e4019bdf9ec35e460#diff-1e4a62a6414e4007d2f5be9f0313c8c0R311-R314

      The git commit referenced the wrong Jira (2007) - it should have been https://issues.apache.org/jira/browse/CXF-5007

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              maggu2810 Markus Rathgeb
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: