<div dir="ltr">Hi,<div style><br></div><div style>I realized that the HttpExceptionMapper[1]  provided by ag-sec do not work well in a CORS environment when returning a 401 response to the client.</div><div style><br></div>
<div style>Dan has found the fix by adding CORS headers in the HttpExceptionMapper, we implemented that in a custom class[2] . </div><div style><br></div><div style>My question is, could we update the HttpExceptionMapper in ag-sec with these extra headers or does that expose any side effects/risks ? </div>
<div style><br></div><div style>Or Should we provide just the CORS HttpExceptionMapper variant in ag-sec based on [2] and document that ? </div><div style><br></div><div style>A JIRA [3] has been created to track this.</div>
<div style><br></div><div style>Seb</div><div style><br></div><div style><br></div><div style><br></div><div style><br></div><div style>[1] <a href="https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java">https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java</a></div>
<div style><br></div><div style>[2] <a href="https://github.com/aerogear/aerogear-push-quickstart-backend/blob/master/src/main/java/org/jboss/aerogear/aerodoc/rest/CorsExceptionHandler.java">https://github.com/aerogear/aerogear-push-quickstart-backend/blob/master/src/main/java/org/jboss/aerogear/aerodoc/rest/CorsExceptionHandler.java</a></div>
<div style><br></div><div style>[3] <a href="https://issues.jboss.org/browse/AGSEC-98">https://issues.jboss.org/browse/AGSEC-98</a></div></div>