[aerogear-dev] [AG-SEC] HttpExceptionMapper and CORS

Bruno Oliveira bruno at abstractj.org
Thu Aug 8 00:55:23 EDT 2013 

This piece if code will be removed from AGSec
https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java#L37
because is something very tied to Resteasy.

Regarding the issue with CORS, at first glance if we are willing to
provide it on AGSec we will send extra HTTP headers to every
unauthorized request. And is impossible to AGSec to cover every corner
case, because at this point we should be able to distinguish CORS
request from non CORS to send the correct headers.

In the next releases the dependency with Resteasy will be removed and we
will have only this block of code
https://github.com/aerogear/aerogear-security/blob/1.1.x/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java#L41.


I can't see any problems on having it at your project, unless with think
this is very very high priority, leave it as is and feel free to
implement your own exception handler.

Sebastien Blanc wrote:
> Hi,
> 
> I realized that the HttpExceptionMapper[1]  provided by ag-sec do not
> work well in a CORS environment when returning a 401 response to the client.
> 
> Dan has found the fix by adding CORS headers in the HttpExceptionMapper,
> we implemented that in a custom class[2] . 
> 
> My question is, could we update the HttpExceptionMapper in ag-sec with
> these extra headers or does that expose any side effects/risks ? 
> 
> Or Should we provide just the CORS HttpExceptionMapper variant in ag-sec
> based on [2] and document that ? 
> 
> A JIRA [3] has been created to track this.
> 
> Seb
> 
> 
> 
> 
> [1] https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java
> 
> [2] https://github.com/aerogear/aerogear-push-quickstart-backend/blob/master/src/main/java/org/jboss/aerogear/aerodoc/rest/CorsExceptionHandler.java
> 
> [3] https://issues.jboss.org/browse/AGSEC-98
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-- 
abstractj

More information about the aerogear-dev mailing list