Best way to implement method OPTIONS in REST services

Solution 1

You don't need to implements the OPTIONS HTTP VERB in this case. Since you're using RESTEasy, which is the JAX-RS implementation used by Wildfly, the issue I encountered was due to the servlet-mapping on web.xml.

I have encountered this when I added the JAX-RS facet on Eclipse and tell it to update the web.xml. The default generated web.xml containing the Restful application mapping doesn't map your application properly to your RESTful resource path.

This is how the web.xml should look like, provided you have not created your own custom Application.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
    version="3.1">
    <display-name>My REST API</display-name>
    <description>My REST API</description>
    <servlet>
        <description>JAX-RS Tools Generated - Do not modify</description>
        <servlet-name>javax.ws.rs.core.Application</servlet-name>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>javax.ws.rs.core.Application</servlet-name>
        <url-pattern>/jaxrs/*</url-pattern>
    </servlet-mapping>
</web-app>

Make sure that your <servlet-name> and <servlet-mapping> are mapped as in the example above. If you extended the Application class, just specify it in your web.xml instead of the default Application as shown above.

Also, your @POST resource method, it's recommended to specify the resource type of your RESTful data (in your case, your DTO) using @Consumes annotation.

Eg.

@POST
@Path("/save")
@Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
@Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
public Response save(CervejaDTO cervejaDTO)

}

Solution 2

I tried RestEasy's CorsFilter but calls made with the OPTIONS method were returning

RESTEASY003655: No resource method found for options, return OK with Allow header

I wrote a simple filter that:

1. Makes sure the CORS header you need are applied to the response.
2. Returns the HTTP status code 200 when calling an endpoint with the OPTIONS method. You just tell the client that its CORS preflight requests was accepted.

Here is the code. This is a simplified version, ditry - yet efficient. Feel free to refine the filter if you only want to send back a 200 when querying a "real" endpoint.

@Provider 
public class CorsFilter implements ContainerResponseFilter {  

  @Override
  public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
    MultivaluedMap<String, Object> headers = responseContext.getHeaders();
    headers.add("Access-Control-Allow-Origin", "*"); // If you want to be more restrictive it could be localhost:4200
    headers.add("Access-Control-Allow-Methods", "GET, PUT, POST, OPTIONS"); // You can add HEAD, DELETE, TRACE, PATCH
    headers.add("Access-Control-Allow-Headers", "Content-Type, Authorization, Accept, Accept-Language"); // etc

    if (requestContext.getMethod().equals("OPTIONS"))
        responseContext.setStatus(200);
}}

From this post and my preferred CORS explanation.

Solution 3

"however, when I implement the POST method, it says that I don't have the OPTIONS method implemented for it."

"When i make a POST or DELTE request, the application make automatically a OPTIONS request before"

This definitely sound like a CORS (Cross Origin Resource Sharing) problem. You can read more about it at HTTP access control (CORS). Basically the OPTIONS request is preflight request before the actual request. This will happen for certain types of AJAX requests.

For this, RESTeasy has the CorsFilter you can register. You need to configure the filter to the settings you want to allow. Also see an example here for one way to configure it.

@OPTIONS
@Path("{path:.*}")
public Response handleCORSRequest() throws Exception {
    Response.ResponseBuilder builder = Response.ok();
    return builder.build();
}

    import javax.ws.rs.core.Context;
    import javax.ws.rs.core.HttpHeaders;
    import javax.ws.rs.core.Response;
    import javax.ws.rs.core.Response.ResponseBuilder;
    import javax.ws.rs.ext.ExceptionMapper;
    import javax.ws.rs.ext.Provider;

    import org.jboss.resteasy.spi.DefaultOptionsMethodException;

    @Provider
    public class OptionsHander implements
         ExceptionMapper<DefaultOptionsMethodException> {

    private static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    private static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";

    private static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
    private static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
    private static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";

    private static final String ACCESS_CONTROL_ALLOW_ORIGIN_ANYONE = "*";

    @Context HttpHeaders httpHeaders;

    @Override
    public Response toResponse(DefaultOptionsMethodException exception) {

        final ResponseBuilder response = Response.ok();

        String requestHeaders = httpHeaders.getHeaderString(ACCESS_CONTROL_REQUEST_HEADERS);
        String requestMethods = httpHeaders.getHeaderString(ACCESS_CONTROL_REQUEST_METHOD);

        if (requestHeaders != null)
            response.header(ACCESS_CONTROL_ALLOW_HEADERS, requestHeaders);

        if (requestMethods != null)
            response.header(ACCESS_CONTROL_ALLOW_METHODS, requestMethods);

        // TODO: development only, too permissive
        response.header(ACCESS_CONTROL_ALLOW_ORIGIN, ACCESS_CONTROL_ALLOW_ORIGIN_ANYONE);

        return response.build();
    }
}

Author by

Eduardo Vendruscolo

Updated on June 08, 2022