<div dir="ltr"><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px;margin-top:0px!important">
Hi Folks,</p><p style="margin-right:0px;margin-bottom:15px;margin-left:0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px;margin-top:0px!important">I'm facing an issue and I hope you could help me on this.</p>
<p style="margin-right:0px;margin-bottom:15px;margin-left:0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px;margin-top:0px!important">My app is using ag-sec with the @secure annotation and Resteasy.</p>
<h2 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif">
<a name="scenario-hitting-secured-endpoints-without-cors-webapp-deployed-in-the-same-domain" class="" href="https://gist.github.com/sebastienblanc/6133102#scenario-hitting-secured-endpoints-without-cors-webapp-deployed-in-the-same-domain" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:0px;line-height:1"><span class=""></span></a>Scenario: hitting secured endpoints without CORS (webapp deployed in the same domain)</h2>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">When the user has not the role specified by @secure I got an exception, as expected <a href="https://gist.github.com/sebastienblanc/6134149" style="color:rgb(65,131,196);text-decoration:none">https://gist.github.com/sebastienblanc/6134149</a></p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">I assume it is because of this <a href="https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71" style="color:rgb(65,131,196);text-decoration:none">https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71</a> and, perfect, works as designed.</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">The server returns a nice 401 status to the client.</p><h2 style="margin:1em 0px 15px;padding:0px;line-height:1.7;font-size:2em;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(238,238,238);color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif">
<a name="testing-in-a-cors-configuration-web-client-running-under-another-domain" class="" href="https://gist.github.com/sebastienblanc/6133102#testing-in-a-cors-configuration-web-client-running-under-another-domain" style="color:rgb(65,131,196);text-decoration:none;display:block;padding-left:30px"><span class=""></span></a>Testing in a CORS configuration (web client running under another domain)</h2>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">Same scenario I'm hitting a secure endpoint without having the role needed (BTW the OPTIONS preflights are handled without any errors).</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">I'm getting the same exception from the server but this time no proper 401 answer sent back to the client, and on client side the request is just canceled.</p>
<ol style="margin:15px 0px;padding-left:30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px"><li>Reproduce it To repoduce this scenario here are the step :</li>
</ol><ul style="margin:15px 0px;padding:0px 0px 0px 30px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px"><li>Clone this branch <a href="https://github.com/sebastienblanc/aerogear-push-quickstart-backend/tree/cors_tests" style="color:rgb(65,131,196);text-decoration:none">https://github.com/sebastienblanc/aerogear-push-quickstart-backend/tree/cors_tests</a> ,<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">mvn clean install</code> , <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">mvn jboss-as:deploy</code></li>
<li><p style="margin:15px 0px">Clone this branch : <a href="https://github.com/aerogear/aerogear-push-quickstart-web/tree/AGPUSH-160" style="color:rgb(65,131,196);text-decoration:none">https://github.com/aerogear/aerogear-push-quickstart-web/tree/AGPUSH-160</a> and deploy it, making sure it's not running on the same port as aerodoc backend (for instance<code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">python -m SimpleHTTPServer</code> )</p>
</li><li><p style="margin:15px 0px">Browse to the simple client (in case you use python webserver it will be <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">localhost:8000</code></p>
</li><li><p style="margin:15px 0px">Login With maria/123</p></li><li><p style="margin:15px 0px">Refresh the page : you should see the failure on retrieving the <code style="font-family:Consolas,'Liberation Mono',Courier,monospace;font-size:12px;line-height:normal;margin:0px 2px;padding:0px 5px;border:1px solid rgb(221,221,221);background-color:rgb(248,248,248);border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;white-space:nowrap">/leads</code> endpoints.</p>
</li></ul><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">So, What I'm looking for is to have a normal 401 status sent back to the client when using CORS, maybe someone has some ides about this ?</p>
<p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px"><br></p><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">
Regards,</p><p style="margin:15px 0px;color:rgb(0,0,0);font-family:Helvetica,arial,freesans,clean,sans-serif;font-size:15.199999809265137px;line-height:20px">Seb</p></div>