[Apiman-user] CORS
Eric Wittmann
eric.wittmann at redhat.com
Wed Aug 19 11:55:38 EDT 2015
That is exactly what I was getting at. If you have apiman performing
authentication, then apiman MUST ALSO perform CORS for you.
Specifically for the reason you say: we don't want to skip
authentication for OPTIONS requests.
That said, we *could* add another option to all the authentication
policies, allowing auth to be skipped for specific VERBs. That could be
a reasonable feature. I don't think I'm in favor of it though.
Instead, CORS functionality should be moved out of the back-end system
and handled in apiman.
-Eric
On 8/19/2015 11:23 AM, Marc Savy wrote:
> I think case being suggested here is slightly different -
>
> This is one where someone has selected an Auth policy on the gateway,
> but *not* a CORS policy - instead their back-end service supports CORS
> and they want the service to handle the preflight request directly.
> Should we pipeline the CORS preflight request through to the backend in
> that case (i.e. bypass auth)? I'd say no, probably.
>
> Perhaps that's what you were getting at already!
>
> On 19/08/2015 14:16, Eric Wittmann wrote:
>> I think that if apiman is being asked to do Authentication *and* CORS is
>> required by the client, then apiman will have to do both.
>>
>> I think that's desirable anyway - it allows the back end service
>> implementation to not worry about supporting CORS. It's a win-win.
>>
>> -Eric
>>
>> On 8/19/2015 9:09 AM, Marc Savy wrote:
>> > What you're doing will always require a CORS preflight request (due to
>> > the non-simple headers), and I'm not sure it makes sense for us as an
>> > API gateway to funnel through CORS Preflight requests to the service
>> > by default. It complicates things when you start thinking about
>> > metering, security, etc.
>> >
>> > Eric, what do you think?
>> >
>> > On 19/08/2015 14:02, Fadi Abdin wrote:
>> >> So what it seems like is that we have to use CORS Policy and add it
>> >> before the Keycloak authentication policy in order for my preflight to
>> >> pass .. thats the part i was missing completely . i'm not sure if its
>> >> should be considered a bug or flexibility to do what we want .. But
>> >> thanks for the explaination Marc.
>> >>
>> >> Anyway .. i'm still having a problem with CORS Policy, probably I just
>> >> dont have the latest code. i added some details to the JIRA ticket
>> >>
>> >> On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy <marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>> wrote:
>> >>
>> >> I replicated your set up as far as I could, and I couldn't
>> >> replicate
>> >> your issue (perhaps your CORS setup is wrong?). Please see the
>> JIRA
>> >> comments and screenshots -
>> >> https://issues.jboss.org/browse/APIMAN-516
>> >>
>> >> Either way, I also fixed a bug unrelated to your problem, so
>> please
>> >> re-build the plugins before trying again :-).
>> >>
>> >> On 18/08/2015 19:25, Fadi Abdin wrote:
>> >>
>> >> It did not work .
>> >>
>> >> I setup everything they way you told me Marc and i'm
>> testing it
>> >> on my
>> >> local.
>> >> It seems its sending that preflight OPTIONS and coming back
>> >> with
>> >> 401 still
>> >>
>> >> On Tue, Aug 18, 2015 at 10:48 AM, Fadi Abdin
>> >> <fadiabdeen at gmail.com <mailto:fadiabdeen at gmail.com>
>> >> <mailto:fadiabdeen at gmail.com <mailto:fadiabdeen at gmail.com>>>
>> >> wrote:
>> >>
>> >> I'm still working on it :( .. i had to give the network
>> >> guys few ip
>> >> addresses to whitelist so i can mvn install .. ...
>> almost
>> >> there.
>> >>
>> >> On Tue, Aug 18, 2015 at 9:46 AM, Marc Savy
>> >> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
>> >> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>>> wrote:
>> >>
>> >> My pleasure! Did it work?
>> >>
>> >> On 17/08/2015 16:38, Fadi Abdin wrote:
>> >>
>> >> cool .. you're the man ;)
>> >>
>> >>
>> >> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy
>> >> <marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>
>> >> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
>> >> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>>>>
>> >> wrote:
>> >>
>> >> I'm actually testing the fix right now. It
>> >> will land
>> >> both on the 1.2.x
>> >> branch and the 1.1.x branch shortly. You
>> >> should be able
>> >> to test it out
>> >> in a short while: I'll send you an email
>> >> when it's
>> >> available.
>> >>
>> >> On 17/08/2015 16:23, Fadi Abdin wrote:
>> >>
>> >> Thank you Marc,
>> >> Is there a work around that you can
>> >> think of ?
>> >> I'm doing it with angularjs , very
>> >> simple
>> >>
>> >> $http({method: 'GET', url:
>> >> 'http://server/apiman-gateway/service',
>> >> headers: {
>> >> 'Authorization': 'Bearer
>> >> XXXXXXXXXXXXX'}
>> >> });
>> >>
>> >> I assume you will fix it in the new
>> >> version , right?
>> >>
>> >>
>> >>
>> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc
>> >> Savy
>> >> <marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>>
>> >> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>>>
>> >> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>
>> >> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>
>> >> <mailto:marc.savy at redhat.com
>> >> <mailto:marc.savy at redhat.com>>>>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> This is related to the JIRA I
>> linked
>> >> you to
>> >>
>> >> (https://issues.jboss.org/browse/APIMAN-516).
>> >> Because of
>> >> the way the
>> >> policy chain currently works the
>> >> behaviour of
>> >> CORS is
>> >> invalid in a
>> >> few very specific cases (e.g. when
>> >> you stack
>> >> it with an auth
>> >> policy). I'll let you know when
>> it's
>> >> fixed.
>> >>
>> >> Regards,
>> >> Marc
>> >>
>> >> On 17/08/2015 15:44, Fadi Abdin
>> >> wrote:
>> >>
>> >> I have a problem in calling a
>> >> service in
>> >> apiman-gateway
>> >> with the
>> >> Authorization: Bearer
>> <token> in
>> >> the header.
>> >>
>> >> It seems to preflight OPTIONS
>> >> and
>> >> return
>> >>
>> >> 1.
>> >> X-Policy-Failure-Message:
>> >> OAuth2 'Authorization'
>> >> header or
>> >> 'access_token' query
>> >> parameter must
>> >> be provided.
>> >>
>> >> I am sending the bearer token
>> >> with the
>> >> request and i
>> >> make sure
>> >> in the
>> >> preflight its sent in the
>> >> request.
>> >>
>> >> 1.
>> >>
>> >> Access-Control-Request-Headers:
>> >> accept, authorization
>> >>
>> >> Does anyone know if there Is
>> >> something i'm
>> >> missing ?
>> >> do i need
>> >> to get
>> >> authorization enabled or added
>> >> anywhere ?
>> >> as a side
>> >> note i have
>> >> below in
>> >> my api as well:
>> >>
>> >>
>> >>
>> >> response.setHeader("Access-Control-Allow-Headers",
>> >> "Authorization");
>> >>
>> >>
>> >>
>> >>
>> _______________________________________________
>> >> Apiman-user mailing list
>> >> Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>>>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>
>> >> <mailto:Apiman-user at lists.jboss.org
>> >> <mailto:Apiman-user at lists.jboss.org>>>>
>> >> https://lists.jboss.org/mailman/listinfo/apiman-user
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> > _______________________________________________
>> > Apiman-user mailing list
>> > Apiman-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/apiman-user
>> >
>
More information about the Apiman-user
mailing list