[aerogear-dev] Dealing with secured endpoints and CORS

Sebastien Blanc scm.blanc at gmail.com
Thu Aug 1 15:01:20 EDT 2013 

Hi Folks,

I'm facing an issue and I hope you could help me on this.

My app is using ag-sec with  the @secure annotation and Resteasy.
<https://gist.github.com/sebastienblanc/6133102#scenario-hitting-secured-endpoints-without-cors-webapp-deployed-in-the-same-domain>Scenario:
hitting secured endpoints without CORS (webapp deployed in the same domain)

When the user has not the role specified by @secure I got an exception, as
expected https://gist.github.com/sebastienblanc/6134149

I assume it is because of this
https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71
and,
perfect, works as designed.

The server returns a nice 401 status to the client.
<https://gist.github.com/sebastienblanc/6133102#testing-in-a-cors-configuration-web-client-running-under-another-domain>Testing
in a CORS configuration (web client running under another domain)

Same scenario I'm hitting a secure endpoint without having the role needed
(BTW the OPTIONS preflights are handled without any errors).

I'm getting the same exception from the server but this time no proper 401
answer sent back to the client, and on client side the request is just
canceled.

   1. Reproduce it To repoduce this scenario here are the step :


   - Clone this branch
   https://github.com/sebastienblanc/aerogear-push-quickstart-backend/tree/cors_tests
    ,mvn clean install , mvn jboss-as:deploy
   -

   Clone this branch :
   https://github.com/aerogear/aerogear-push-quickstart-web/tree/AGPUSH-160 and
   deploy it, making sure it's not running on the same port as aerodoc backend
   (for instancepython -m SimpleHTTPServer )
   -

   Browse to the simple client (in case you use python webserver it will be
   localhost:8000
   -

   Login With maria/123
   -

   Refresh the page : you should see the failure on retrieving the /leads
    endpoints.

So, What I'm looking for is to have a normal 401 status sent back to the
client when using CORS, maybe someone has some ides about this ?


Regards,

Seb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130801/8b81db20/attachment.html

More information about the aerogear-dev mailing list