springcoderlm
diff --git a/‎zipkin-server/pom.xml
Lines changed: 0 additions & 1 deletion b/‎zipkin-server/pom.xml
Lines changed: 0 additions & 1 deletion
diff --git a/‎zipkin-server/src/main/java/zipkin/server/CorsHandler.java
Lines changed: 160 additions & 0 deletions b/‎zipkin-server/src/main/java/zipkin/server/CorsHandler.java
Lines changed: 160 additions & 0 deletions
diff --git a/‎zipkin-server/src/main/java/zipkin/server/ZipkinServerConfiguration.java
Lines changed: 16 additions & 22 deletions b/‎zipkin-server/src/main/java/zipkin/server/ZipkinServerConfiguration.java
Lines changed: 16 additions & 22 deletions
@@ -63,7 +63,6 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-undertow</artifactId>
-      <optional>true</optional>
     </dependency>
 
     <!-- zipkin requires exporting /health endpoint -->
 
@@ -0,0 +1,160 @@
+/**
+ * Copyright 2015-2017 The OpenZipkin Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package zipkin.server;
+
+import io.undertow.server.HandlerWrapper;
+import io.undertow.server.HttpHandler;
+import io.undertow.server.HttpServerExchange;
+import io.undertow.util.HeaderMap;
+import io.undertow.util.HttpString;
+import java.util.Arrays;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Inspired by Netty's CorsHandler and driven by tests in https://github.com/rs/cors
+ *
+ * <p>This implementation simplified based on needs of the zipkin UI. For example, we don't need
+ * sophisticated expressions, nor do we need to send back non-default response headers
+ * (Access-Control-Expose-Headers). Finally, we don't have authorization
+ * (Access-Control-Allow-Credentials) at the moment. When these assumptions change, we can complete
+ * the implementation.
+ */
+
+final class CorsHandler implements HttpHandler, HandlerWrapper {
+  private static Logger logger = Logger.getLogger(CorsHandler.class.getName());
+
+  static final HttpString
+    OPTIONS = HttpString.tryFromString("OPTIONS"),
+    ORIGIN = HttpString.tryFromString("origin"),
+    VARY = HttpString.tryFromString("vary"),
+    ACCESS_CONTROL_ALLOW_METHODS = HttpString.tryFromString("access-control-allow-methods"),
+    ACCESS_CONTROL_ALLOW_HEADERS = HttpString.tryFromString("access-control-allow-headers"),
+    ACCESS_CONTROL_ALLOW_ORIGIN = HttpString.tryFromString("access-control-allow-origin"),
+    ACCESS_CONTROL_REQUEST_METHOD = HttpString.tryFromString("access-control-request-method"),
+    ACCESS_CONTROL_REQUEST_HEADERS = HttpString.tryFromString("access-control-request-headers");
+
+  final List<String> allowedOrigins;
+  final List<String> allowedHeaders;
+  final boolean wildcardOrigin;
+  HttpHandler next;
+
+  CorsHandler(String allowedOrigins) {
+    this.allowedOrigins = Arrays.asList(allowedOrigins.split(","));
+    this.allowedHeaders = Arrays.asList(
+      "accept",
+      "content-type",
+      "content-encoding",
+      "origin"
+    );
+    this.wildcardOrigin = this.allowedOrigins.contains("*");
+  }
+
+  @Override public void handleRequest(HttpServerExchange exchange) throws Exception {
+    if (isPreflightRequest(exchange)) {
+      handlePreflight(exchange);
+      exchange.getResponseSender().close();
+      return;
+    }
+
+    if (!validateOrigin(exchange)) {
+      exchange.setStatusCode(403).getResponseSender().send("CORS error\n");
+      return;
+    }
+
+    next.handleRequest(exchange);
+  }
+
+  /** Statically allows headers used by the api */
+  void handlePreflight(HttpServerExchange exchange) {
+    HeaderMap requestHeaders = exchange.getRequestHeaders();
+    String origin = requestHeaders.getFirst(ORIGIN);
+    String method = requestHeaders.getFirst(ACCESS_CONTROL_REQUEST_METHOD);
+    String requestedHeaders = requestHeaders.getFirst(ACCESS_CONTROL_REQUEST_HEADERS);
+    HeaderMap responseHeaders = exchange.getResponseHeaders();
+
+    responseHeaders.put(VARY,
+      "origin,access-control-request-method,access-control-request-headers");
+    if (
+      ("POST".equals(method) || "GET".equals(method))
+        && requestedHeadersAllowed(requestedHeaders)
+        && setOrigin(origin, responseHeaders)
+      ) {
+      responseHeaders.put(ACCESS_CONTROL_ALLOW_METHODS, method);
+      if (requestedHeaders != null) {
+        responseHeaders.put(ACCESS_CONTROL_ALLOW_HEADERS, requestedHeaders);
+      }
+    }
+  }
+
+  boolean requestedHeadersAllowed(String requestedHeaders) {
+    if (requestedHeaders == null) return true;
+    StringBuilder next = new StringBuilder();
+    for (int i = 0, length = requestedHeaders.length(); i < length; i++) {
+      char c = requestedHeaders.charAt(i);
+      if (c == ' ') continue;
+      if (c >= 'A' && c <= 'Z') c += 'a' - 'A'; // lowercase
+      if (c != ',') next.append(c);
+      if (c == ',' || i + 1 == length) {
+        String toTest = next.toString();
+        if (!allowedHeaders.contains(toTest)) {
+          if (logger.isLoggable(Level.FINE)) {
+            logger.fine(toTest + " is not an allowed header: " + allowedHeaders);
+          }
+          return false;
+        }
+        next.setLength(0);
+      }
+    }
+    return true;
+  }
+
+  boolean validateOrigin(HttpServerExchange exchange) {
+    HeaderMap responseHeaders = exchange.getResponseHeaders();
+    responseHeaders.put(VARY, "origin");
+    String origin = exchange.getRequestHeaders().getFirst(ORIGIN);
+    if (origin == null) return true; // just vary
+    return setOrigin(origin, responseHeaders);
+  }
+
+  private static boolean isPreflightRequest(HttpServerExchange exchange) {
+    HeaderMap headers = exchange.getRequestHeaders();
+    return exchange.getRequestMethod().equals(OPTIONS) &&
+      headers.contains(ORIGIN) && headers.contains(ACCESS_CONTROL_REQUEST_METHOD);
+  }
+
+  private boolean setOrigin(String origin, HeaderMap responseHeaders) {
+    if ("null".equals(origin)) {
+      responseHeaders.put(ACCESS_CONTROL_ALLOW_ORIGIN, "null");
+      return true;
+    }
+    if (wildcardOrigin) {
+      responseHeaders.put(ACCESS_CONTROL_ALLOW_ORIGIN, "*");
+      return true;
+    } else if (allowedOrigins.contains(origin)) {
+      responseHeaders.put(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+      return true;
+    }
+    if (logger.isLoggable(Level.FINE)) {
+      logger.fine(origin + " is not an allowed origin: " + allowedOrigins);
+    }
+    return false;
+  }
+
+  @Override public HttpHandler wrap(HttpHandler handler) {
+    this.next = handler;
+    return this;
+  }
+}
@@ -14,7 +14,6 @@
 package zipkin.server;
 
 import com.github.kristofa.brave.Brave;
-import java.util.Arrays;
 import java.util.Optional;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -23,24 +22,20 @@
 import org.springframework.boot.actuate.metrics.buffer.CounterBuffers;
 import org.springframework.boot.actuate.metrics.buffer.GaugeBuffers;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.context.embedded.undertow.UndertowEmbeddedServletContainerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Condition;
 import org.springframework.context.annotation.ConditionContext;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.type.AnnotatedTypeMetadata;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-import org.springframework.web.filter.CorsFilter;
 import zipkin.collector.CollectorMetrics;
 import zipkin.collector.CollectorSampler;
 import zipkin.internal.V2StorageComponent;
 import zipkin.server.brave.TracedStorageComponent;
 import zipkin.storage.StorageComponent;
 import zipkin2.storage.InMemoryStorage;
 
-import static java.util.Arrays.asList;
-
 @Configuration
 public class ZipkinServerConfiguration {
 
@@ -49,6 +44,17 @@ public class ZipkinServerConfiguration {
     return new ZipkinHealthIndicator(healthAggregator);
   }
 
+  @Bean public UndertowEmbeddedServletContainerFactory embeddedServletContainerFactory(
+    @Value("${zipkin.query.allowed-origins:*}") String allowedOrigins
+  ) {
+    UndertowEmbeddedServletContainerFactory factory = new UndertowEmbeddedServletContainerFactory();
+    CorsHandler cors = new CorsHandler(allowedOrigins);
+    factory.addDeploymentInfoCustomizers(
+      info -> info.addInitialHandlerChainWrapper(cors)
+    );
+    return factory;
+  }
+
   @Bean
   @ConditionalOnMissingBean(CollectorSampler.class)
   CollectorSampler traceIdSampler(@Value("${zipkin.collector.sample-rate:1.0}") float rate) {
@@ -57,14 +63,15 @@ CollectorSampler traceIdSampler(@Value("${zipkin.collector.sample-rate:1.0}") fl
 
   @Bean
   @ConditionalOnMissingBean(CollectorMetrics.class)
-  CollectorMetrics metrics(Optional<CounterBuffers> counterBuffers, Optional<GaugeBuffers> gaugeBuffers) {
+  CollectorMetrics metrics(Optional<CounterBuffers> counterBuffers,
+    Optional<GaugeBuffers> gaugeBuffers) {
     // it is not guaranteed that BufferCounterService/CounterBuffers will be used,
     // for ex., com.datastax.cassandra:cassandra-driver-core brings com.codahale.metrics.MetricRegistry
     // and as result DropwizardMetricServices is getting instantiated instead of standard Java8 BufferCounterService.
     // On top of it Cassandra driver heavily relies on Dropwizard metrics and manually excluding it from pom.xml is not an option.
     // MetricsDropwizardAutoConfiguration can be manually excluded either, as Cassandra metrics won't be recorded.
     return new ActuateCollectorMetrics(counterBuffers.orElse(new CounterBuffers()),
-                                       gaugeBuffers.orElse(new GaugeBuffers()));
+      gaugeBuffers.orElse(new GaugeBuffers()));
   }
 
   @Configuration
@@ -89,19 +96,6 @@ public Object postProcessAfterInitialization(Object bean, String beanName) {
     }
   }
 
-  @Bean
-  @ConditionalOnMissingBean(CorsFilter.class)
-  CorsFilter corsFilter(@Value("${zipkin.query.allowed-origins:*}") String allowedOrigins) {
-    CorsConfiguration configuration = new CorsConfiguration();
-    configuration.setAllowedOrigins(asList(allowedOrigins.split(",")));
-    configuration.setAllowedMethods(asList("GET", "POST"));
-    configuration.setAllowCredentials(false);
-    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-    source.registerCorsConfiguration("/api/**", configuration);
-    source.registerCorsConfiguration("/zipkin/api/**", configuration);
-    return new CorsFilter(source);
-  }
-
   /**
    * This is a special-case configuration if there's no StorageComponent of any kind. In-Mem can
    * supply both read apis, so we add two beans here.
@@ -128,7 +122,7 @@ static final class StorageTypeMemAbsentOrEmpty implements Condition {
     @Override public boolean matches(ConditionContext condition, AnnotatedTypeMetadata ignored) {
       String storageType = condition.getEnvironment().getProperty("zipkin.storage.type");
       if (storageType == null) return true;
-      storageType  = storageType.trim();
+      storageType = storageType.trim();
       if (storageType.isEmpty()) return true;
       return storageType.equals("mem");
     }