[Apiman-user] CORS
Marc Savy
marc.savy at redhat.com
Wed Aug 19 11:23:38 EDT 2015
I think case being suggested here is slightly different -
This is one where someone has selected an Auth policy on the gateway, but *not* a CORS policy - instead their back-end service supports CORS and they want the service to handle the preflight request directly. Should we pipeline the CORS preflight request through to the backend in that case (i.e. bypass auth)? I'd say no, probably.
Perhaps that's what you were getting at already!
On 19/08/2015 14:16, Eric Wittmann wrote:
> I think that if apiman is being asked to do Authentication *and* CORS is
> required by the client, then apiman will have to do both.
>
> I think that's desirable anyway - it allows the back end service
> implementation to not worry about supporting CORS. It's a win-win.
>
> -Eric
>
> On 8/19/2015 9:09 AM, Marc Savy wrote:
> > What you're doing will always require a CORS preflight request (due to
> > the non-simple headers), and I'm not sure it makes sense for us as an
> > API gateway to funnel through CORS Preflight requests to the service
> > by default. It complicates things when you start thinking about
> > metering, security, etc.
> >
> > Eric, what do you think?
> >
> > On 19/08/2015 14:02, Fadi Abdin wrote:
> >> So what it seems like is that we have to use CORS Policy and add it
> >> before the Keycloak authentication policy in order for my preflight to
> >> pass .. thats the part i was missing completely . i'm not sure if its
> >> should be considered a bug or flexibility to do what we want .. But
> >> thanks for the explaination Marc.
> >>
> >> Anyway .. i'm still having a problem with CORS Policy, probably I just
> >> dont have the latest code. i added some details to the JIRA ticket
> >>
> >> On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy <marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>> wrote:
> >>
> >> I replicated your set up as far as I could, and I couldn't
> >> replicate
> >> your issue (perhaps your CORS setup is wrong?). Please see the JIRA
> >> comments and screenshots -
> >> https://issues.jboss.org/browse/APIMAN-516
> >>
> >> Either way, I also fixed a bug unrelated to your problem, so please
> >> re-build the plugins before trying again :-).
> >>
> >> On 18/08/2015 19:25, Fadi Abdin wrote:
> >>
> >> It did not work .
> >>
> >> I setup everything they way you told me Marc and i'm testing it
> >> on my
> >> local.
> >> It seems its sending that preflight OPTIONS and coming back
> >> with
> >> 401 still
> >>
> >> On Tue, Aug 18, 2015 at 10:48 AM, Fadi Abdin
> >> <fadiabdeen at gmail.com <mailto:fadiabdeen at gmail.com>
> >> <mailto:fadiabdeen at gmail.com <mailto:fadiabdeen at gmail.com>>>
> >> wrote:
> >>
> >> I'm still working on it :( .. i had to give the network
> >> guys few ip
> >> addresses to whitelist so i can mvn install .. ... almost
> >> there.
> >>
> >> On Tue, Aug 18, 2015 at 9:46 AM, Marc Savy
> >> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> >> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>>> wrote:
> >>
> >> My pleasure! Did it work?
> >>
> >> On 17/08/2015 16:38, Fadi Abdin wrote:
> >>
> >> cool .. you're the man ;)
> >>
> >>
> >> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy
> >> <marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>
> >> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> >> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>>>>
> >> wrote:
> >>
> >> I'm actually testing the fix right now. It
> >> will land
> >> both on the 1.2.x
> >> branch and the 1.1.x branch shortly. You
> >> should be able
> >> to test it out
> >> in a short while: I'll send you an email
> >> when it's
> >> available.
> >>
> >> On 17/08/2015 16:23, Fadi Abdin wrote:
> >>
> >> Thank you Marc,
> >> Is there a work around that you can
> >> think of ?
> >> I'm doing it with angularjs , very
> >> simple
> >>
> >> $http({method: 'GET', url:
> >> 'http://server/apiman-gateway/service',
> >> headers: {
> >> 'Authorization': 'Bearer
> >> XXXXXXXXXXXXX'}
> >> });
> >>
> >> I assume you will fix it in the new
> >> version , right?
> >>
> >>
> >>
> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc
> >> Savy
> >> <marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>>
> >> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>>>
> >> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>
> >> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>
> >> <mailto:marc.savy at redhat.com
> >> <mailto:marc.savy at redhat.com>>>>> wrote:
> >>
> >> Hi,
> >>
> >> This is related to the JIRA I linked
> >> you to
> >>
> >> (https://issues.jboss.org/browse/APIMAN-516).
> >> Because of
> >> the way the
> >> policy chain currently works the
> >> behaviour of
> >> CORS is
> >> invalid in a
> >> few very specific cases (e.g. when
> >> you stack
> >> it with an auth
> >> policy). I'll let you know when it's
> >> fixed.
> >>
> >> Regards,
> >> Marc
> >>
> >> On 17/08/2015 15:44, Fadi Abdin
> >> wrote:
> >>
> >> I have a problem in calling a
> >> service in
> >> apiman-gateway
> >> with the
> >> Authorization: Bearer <token> in
> >> the header.
> >>
> >> It seems to preflight OPTIONS
> >> and
> >> return
> >>
> >> 1.
> >> X-Policy-Failure-Message:
> >> OAuth2 'Authorization'
> >> header or
> >> 'access_token' query
> >> parameter must
> >> be provided.
> >>
> >> I am sending the bearer token
> >> with the
> >> request and i
> >> make sure
> >> in the
> >> preflight its sent in the
> >> request.
> >>
> >> 1.
> >>
> >> Access-Control-Request-Headers:
> >> accept, authorization
> >>
> >> Does anyone know if there Is
> >> something i'm
> >> missing ?
> >> do i need
> >> to get
> >> authorization enabled or added
> >> anywhere ?
> >> as a side
> >> note i have
> >> below in
> >> my api as well:
> >>
> >>
> >>
> >> response.setHeader("Access-Control-Allow-Headers",
> >> "Authorization");
> >>
> >>
> >>
> >> _______________________________________________
> >> Apiman-user mailing list
> >> Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>>>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>
> >> <mailto:Apiman-user at lists.jboss.org
> >> <mailto:Apiman-user at lists.jboss.org>>>>
> >> https://lists.jboss.org/mailman/listinfo/apiman-user
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> > _______________________________________________
> > Apiman-user mailing list
> > Apiman-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >
More information about the Apiman-user
mailing list