Hmmm, that would not be consistent with the outcome. There’s indeed a
matching and a method, it is just not a user-provided one (more
precisely, the matching algorithm in Section 3.7.2 is not exiting via a
404 clause; OPTIONS is covered in 3a).
Yes, you're right, the outcome tells us that a matching occurred so it is a kind of weird to not invoke post matching request filter...
Wel, to tell you the truth I'm not really comfortable with this default implementation concept. I think that no default implementation should be provided when there is no user defined java method to handle OPTION requests.
I say that because most of the time OPTIONS requests are used for CORS requests.
As you may know, CORS request is a way for browser to ask to the backend server if it is OK to handle request coming from another origin/domain than the one where it is hosted (see "origin" header)."
So as stated in the spec, with only "the metadata provided by the JAX-RS annotations on the matching class and its methods" how can the JAX-RS implementation decide if request coming from origin X is allowed or not ?
To my opinion, it can't since there is no
native JAX-RS annotations dealing with hosting\domain. So what are we expecting as default behavior ?
- If default generated response does not contain header "Access-Control-Allow-Origin" it is an error
- If
default generated response contains
header "Access-Control-Allow-Origin" set to "*" it is a security problem. From a security point of view allow every-thing is not an acceptable default behavior. Default behavior should be the most restrictive one.
- if default
generated response contains
header "Access-Control-Allow-Origin" set to the value of "origin" header it is a security problem.
>From a security point of view allow what has been asked is not an acceptable default behavior. Default behavior should be the most restrictive one.
So my point is that relying only on "the metadata provided by the JAX-RS annotations on the matching class and its methods" is not enough to get an acceptable default behavior, we need another user provided metadata: the allowed origin.
So since there is no such JAX-RS ANNOTATION to provide such metadata, I would suggest to remove this default implementation concept from the spec and then let each JAX-RS vendors provide support for this feature if they want.
WDYT ?