[aerogear-dev] Dealing with secured endpoints and CORS
Daniel Bevenius
daniel.bevenius at gmail.com
Fri Aug 2 05:26:42 EDT 2013
I'm sure you can do that. I was just being lazy and it was quicker to test
this way :)
On 2 August 2013 11:23, Sebastien Blanc <scm.blanc at gmail.com> wrote:
> BTW,
>
> Looking at your mapper, I wonder if you could not add that to HttpExceptionMapper
> class from ag-sec, if it makes sense and not side effects happens (I tried
> it in a non CORS app and saw no problem) I can do a PR for that on
> aerogear-security ?
>
> Seb
>
>
>
> On Fri, Aug 2, 2013 at 11:14 AM, Sebastien Blanc <scm.blanc at gmail.com>wrote:
>
>> \o/
>> You're the man !
>> It works, thx you so much !
>>
>>
>>
>> On Fri, Aug 2, 2013 at 11:09 AM, Daniel Bevenius <
>> daniel.bevenius at gmail.com> wrote:
>>
>>> I've looked into this and I think the cause is that the
>>> HttpExceptionMapper does not add CORS headers. I tried to add an
>>> ExceptionMapper that does add CORS headers and it will then return a 401 to
>>> the browser instead of a failed request.
>>> I've pushed this example to this branch:
>>>
>>> https://github.com/danbev/aerogear-push-quickstart-backend/tree/exception-mapper
>>>
>>> Let me know if this fixes the error you were seeing.
>>>
>>> /Dan
>>>
>>>
>>> On 2 August 2013 09:47, Sebastien Blanc <scm.blanc at gmail.com> wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Fri, Aug 2, 2013 at 9:36 AM, Daniel Bevenius <
>>>> daniel.bevenius at gmail.com> wrote:
>>>>
>>>>> Hey Seb,
>>>>>
>>>>> I'm trying to reproduce this but getting a Javascript error which is:
>>>>> Uncaught ReferenceError: NewLeadController is not defined from aerodoc
>>>>>
>>>>
>>>> Sorry, if you pull now it should be good
>>>>
>>>>>
>>>>>
>>>>> I think I followed the steps above, but I did change the version
>>>>> aerogear.unifiedpush.sender.version to 0.2.1-SNAPSHOT as I did not have
>>>>> 0.2.0-SNAPSHOT. Any ideas about this?
>>>>>
>>>>
>>>> Yes, that is good, though for reproducing this scenario the sender is
>>>> not used, but yes you can use 0.2.1-SNAPSHOT
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 1 August 2013 21:01, Sebastien Blanc <scm.blanc at gmail.com> wrote:
>>>>>
>>>>>> Hi Folks,
>>>>>>
>>>>>> I'm facing an issue and I hope you could help me on this.
>>>>>>
>>>>>> My app is using ag-sec with the @secure annotation and Resteasy.
>>>>>>
>>>>>> <https://gist.github.com/sebastienblanc/6133102#scenario-hitting-secured-endpoints-without-cors-webapp-deployed-in-the-same-domain>Scenario:
>>>>>> hitting secured endpoints without CORS (webapp deployed in the same domain)
>>>>>>
>>>>>> When the user has not the role specified by @secure I got an
>>>>>> exception, as expected https://gist.github.com/sebastienblanc/6134149
>>>>>>
>>>>>> I assume it is because of this
>>>>>> https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71 and,
>>>>>> perfect, works as designed.
>>>>>>
>>>>>> The server returns a nice 401 status to the client.
>>>>>> <https://gist.github.com/sebastienblanc/6133102#testing-in-a-cors-configuration-web-client-running-under-another-domain>Testing
>>>>>> in a CORS configuration (web client running under another domain)
>>>>>>
>>>>>> Same scenario I'm hitting a secure endpoint without having the role
>>>>>> needed (BTW the OPTIONS preflights are handled without any errors).
>>>>>>
>>>>>> I'm getting the same exception from the server but this time no
>>>>>> proper 401 answer sent back to the client, and on client side the request
>>>>>> is just canceled.
>>>>>>
>>>>>> 1. Reproduce it To repoduce this scenario here are the step :
>>>>>>
>>>>>>
>>>>>> - Clone this branch
>>>>>> https://github.com/sebastienblanc/aerogear-push-quickstart-backend/tree/cors_tests
>>>>>> ,mvn clean install , mvn jboss-as:deploy
>>>>>> -
>>>>>>
>>>>>> Clone this branch :
>>>>>> https://github.com/aerogear/aerogear-push-quickstart-web/tree/AGPUSH-160 and
>>>>>> deploy it, making sure it's not running on the same port as aerodoc backend
>>>>>> (for instancepython -m SimpleHTTPServer )
>>>>>> -
>>>>>>
>>>>>> Browse to the simple client (in case you use python webserver it
>>>>>> will be localhost:8000
>>>>>> -
>>>>>>
>>>>>> Login With maria/123
>>>>>> -
>>>>>>
>>>>>> Refresh the page : you should see the failure on retrieving the
>>>>>> /leads endpoints.
>>>>>>
>>>>>> So, What I'm looking for is to have a normal 401 status sent back to
>>>>>> the client when using CORS, maybe someone has some ides about this ?
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Seb
>>>>>>
>>>>>> _______________________________________________
>>>>>> aerogear-dev mailing list
>>>>>> aerogear-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>
>>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130802/65e3337a/attachment.html
More information about the aerogear-dev
mailing list