FIX CORS header

Fixing CORS header in ControllerServlet

pom.xml

@@ -3,7 +3,7 @@
     <groupId>cz.hsrs.maplog</groupId>
     <artifactId>DBService</artifactId>
     <packaging>war</packaging>
-    <version>1.3.5-SNAPSHOT</version>
+    <version>15</version>
     <name>dbservice Maven Webapp</name>
     <url>http://maven.apache.org</url>
 

src/main/java/cz/hsrs/rest/util/CorsFilter.java

@@ -4,6 +4,11 @@ import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerResponseContext;
 import javax.ws.rs.container.ContainerResponseFilter;
 
+/**
+ * CORS filter for REST services
+ * @author mkepka
+ *
+ */
 public class CorsFilter implements ContainerResponseFilter {
 
     @Override
@@ -16,7 +21,9 @@ public class CorsFilter implements ContainerResponseFilter {
             responseContext.getHeaders().add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
         }
         else {
+        	responseContext.getHeaders().add("Access-Control-Allow-Origin", "*");
         	responseContext.getHeaders().add("Access-Control-Allow-Headers", "origin, content-type, accept, authorization");
+        	responseContext.getHeaders().add("Access-Control-Allow-Credentials", "true");
         	responseContext.getHeaders().add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
         }
     }

src/main/java/cz/hsrs/servlet/security/ControllerServlet.java

@@ -34,7 +34,7 @@ public class ControllerServlet extends DBServlet {
         /** Session je prazdna... Uzivatel se musi nalogovat */
         LoginUser user = new LoginUser(req);
 
-        /*tests if request came from GUI or from light REST client*/
+        /* tests if request came from GUI or from light REST client*/
         String coming = req.getParameter("coming");
         
         if (user.athenticate(req.getParameter("username"), req.getParameter("password"))) {
@@ -51,6 +51,7 @@ public class ControllerServlet extends DBServlet {
             resp.addCookie(langcookie);
             resp.addCookie(audiocookie);
             
+            /* request from MapLog GUI */ 
             if(coming != null){
                 if (coming.equalsIgnoreCase("null") == false){
                     if(coming.equalsIgnoreCase("/insert.jsp") == true){
@@ -67,12 +68,16 @@ public class ControllerServlet extends DBServlet {
                     JSPHelper.redirect(resp, req.getContextPath() + "/crossroad.jsp");
                 }
             }
-            /** request doesn't contain coming parameter - came from REST client*/
+            /* request doesn't contain coming parameter - came from REST client */
             else{
                 String originDomain = req.getHeader("origin");
-                originDomain = originDomain == null ? req.getScheme() + ":\\\\" + req.getServerName() : "*";
+                //originDomain = originDomain == null ? "*" : req.getScheme() + ":\\\\" + req.getServerName();
+                originDomain = originDomain == null ? "*" : originDomain;
                 resp.setStatus(200);
                 resp.setHeader("Access-Control-Allow-Origin", originDomain);
+                resp.setHeader("Access-Control-Allow-Headers", "origin, content-type, accept, authorization");
+                resp.setHeader("Access-Control-Allow-Credentials", "true");
+                resp.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
                 resp.setHeader("Content-Type", "application/json; charset=utf-8");
                 resp.getWriter().println("{\"sessionid\":\""+req.getSession().getId()+"\", \"language\":\""+user.getUserLanguage()+"\", \"audio\":\"" + user.isAudio() + "\", \"rightsID\":"+user.getRightsId()+"}");
             }
@@ -86,7 +91,9 @@ public class ControllerServlet extends DBServlet {
                 /** Login prichazi z REST klienta, vrat jen zpravu*/
             } else{
                 resp.setStatus(401);
-                resp.setHeader("Access-Control-Allow-Origin", "*");
+                String originDomain = req.getHeader("origin");
+                originDomain = originDomain == null ? "*" : req.getScheme() + ":\\\\" + req.getServerName();
+                resp.setHeader("Access-Control-Allow-Origin", originDomain);
                 resp.setHeader("Content-Type", "text/plain; charset=utf-8");
                 resp.getWriter().println("Wrong username or password!");
             }