Bug 57180

Summary: CorsFilter does not support PATCH method
Product: Tomcat 7 Reporter: Frank Kline <frank.kline>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal CC: frank.kline
Priority: P2    
Version: 7.0.56   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Frank Kline 2014-11-03 22:53:58 UTC
The CorsFilter provided with Tomcat 7 should support the PATCH method.
Comment 1 Christopher Schultz 2014-11-03 23:13:19 UTC
Bugzilla is not a support forum. If you need help, please post to the user's mailing list.

Hint: you can set the "cors.allowed.methods" init-param for the CorsFilter and allow whatever HTTP methods you want. By default, the filter supports GET,POST,HEAD,OPTIONS but you can add whatever you want to that list.

Comment 2 Frank Kline 2014-11-03 23:20:59 UTC
This isn't a help request; it's a bug report.

Irrespective of allowed methods, the preflight filter evaluates the following:
"if (method != null && HTTP_METHODS.contains(method)) {" as well as "else if (COMPLEX_HTTP_METHODS.contains(method)) {"

Neither HTTP_METHODS nor COMPLEX_HTTP_METHODS contain "PATCH" hence, the original definition of "CORSRequestType requestType = CORSRequestType.INVALID_CORS;" is used.

Adding "PATCH" to both HTTP_METHODS and COMPLEX_HTTP_METHODS just purely enables the use of the allowed methods filter param.
Comment 3 Mark Thomas 2014-12-01 11:57:27 UTC
I have removed the check against complex methods.

This has been fixed in trunk 8.0.x (for 8.0.16 onwards) and 7.0.x (for 7.0.58 onwards).
Comment 4 Frank Kline 2014-12-01 14:45:39 UTC
Fantastic! Thanks, Mark.
Comment 5 Frank Kline 2015-02-04 05:55:00 UTC
Seems like this is still broken in 8.0.18. The check for a valid cors method is gated by a check against HTTP_METHODS, which doesn't include PATCH. 

Note there is an additional spec for the addition of PATCH:

     * {@link Collection} of HTTP methods. Case sensitive.
     * @see  <a href="http://tools.ietf.org/html/rfc2616#section-5.1.1"
     *       >http://tools.ietf.org/html/rfc2616#section-5.1.1</a>
    public static final Collection<String> HTTP_METHODS =
            new HashSet<>(Arrays.asList("OPTIONS", "GET", "HEAD", "POST", "PUT",
                    "DELETE", "TRACE", "CONNECT"));
Comment 6 Mark Thomas 2015-02-04 09:41:12 UTC
Additional fix applied to trunk, 8.0.x (for 8.0.19 onwards) and 7.0.x (for 7.0.60 onwards).