[Apiman-user] CORS
Marc Savy
marc.savy at redhat.com
Wed Aug 19 12:45:32 EDT 2015
In many cases people are using non-browser applications (e.g. mobile, B2B, Java app...) which don't use CORS, so I don't think they are necessarily concomitant in all circumstances.
Certainly makes sense to document things if people are unaware.
On 19/08/2015 17:36, Fadi Abdin wrote:
> I think there is no need to relay on the API for the cors since it can
> be handled in the APIMan , but maybe something need to be indicated that
> the CORS Plugin must be installed and setup . at least in the UI , and
> ideally get installed with the Oauth plugin (keycloak) if its not there.
>
>
>
> On Wed, Aug 19, 2015 at 11:58 AM, Marc Savy <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> wrote:
>
> I agree - I don't see any compelling reason to add that kind of
> complexity for that case. I'm willing to be convinced, though.
>
> On 19/08/2015 16:55, Eric Wittmann wrote:
> > That is exactly what I was getting at. If you have apiman performing
> > authentication, then apiman MUST ALSO perform CORS for you.
> Specifically
> > for the reason you say: we don't want to skip authentication for
> > OPTIONS requests.
> >
> > That said, we *could* add another option to all the authentication
> > policies, allowing auth to be skipped for specific VERBs. That
> could be
> > a reasonable feature. I don't think I'm in favor of it though.
> >
> > Instead, CORS functionality should be moved out of the back-end
> system
> > and handled in apiman.
> >
> > -Eric
> >
> > On 8/19/2015 11:23 AM, Marc Savy wrote:
> > > I think case being suggested here is slightly different -
> > >
> > > This is one where someone has selected an Auth policy on the
> gateway,
> > > but *not* a CORS policy - instead their back-end service
> supports CORS
> > > and they want the service to handle the preflight request directly.
> > > Should we pipeline the CORS preflight request through to the
> backend in
> > > that case (i.e. bypass auth)? I'd say no, probably.
> > >
> > > Perhaps that's what you were getting at already!
> > >
> > > On 19/08/2015 14:16, Eric Wittmann wrote:
> > >> I think that if apiman is being asked to do Authentication
> *and* CORS is
> > >> required by the client, then apiman will have to do both.
> > >>
> > >> I think that's desirable anyway - it allows the back end service
> > >> implementation to not worry about supporting CORS. It's a
> win-win.
> > >>
> > >> -Eric
> > >>
> > >> On 8/19/2015 9:09 AM, Marc Savy wrote:
> > >> > What you're doing will always require a CORS preflight
> request (due to
> > >> > the non-simple headers), and I'm not sure it makes sense for
> us as an
> > >> > API gateway to funnel through CORS Preflight requests to the
> service
> > >> > by default. It complicates things when you start thinking about
> > >> > metering, security, etc.
> > >> >
> > >> > Eric, what do you think?
> > >> >
> > >> > On 19/08/2015 14:02, Fadi Abdin wrote:
> > >> >> So what it seems like is that we have to use CORS Policy
> and add it
> > >> >> before the Keycloak authentication policy in order for my
> > >> preflight to
> > >> >> pass .. thats the part i was missing completely . i'm not
> sure if its
> > >> >> should be considered a bug or flexibility to do what we
> want .. But
> > >> >> thanks for the explaination Marc.
> > >> >>
> > >> >> Anyway .. i'm still having a problem with CORS Policy,
> probably I
> > >> just
> > >> >> dont have the latest code. i added some details to the JIRA
> ticket
> > >> >>
> > >> >> On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy
> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>> wrote:
> > >> >>
> > >> >> I replicated your set up as far as I could, and I couldn't
> > >> >> replicate
> > >> >> your issue (perhaps your CORS setup is wrong?). Please
> see the
> > >> JIRA
> > >> >> comments and screenshots -
> > >> >> https://issues.jboss.org/browse/APIMAN-516
> > >> >>
> > >> >> Either way, I also fixed a bug unrelated to your
> problem, so
> > >> please
> > >> >> re-build the plugins before trying again :-).
> > >> >>
> > >> >> On 18/08/2015 19:25, Fadi Abdin wrote:
> > >> >>
> > >> >> It did not work .
> > >> >>
> > >> >> I setup everything they way you told me Marc and i'm
> > >> testing it
> > >> >> on my
> > >> >> local.
> > >> >> It seems its sending that preflight OPTIONS and
> coming back
> > >> >> with
> > >> >> 401 still
> > >> >>
> > >> >> On Tue, Aug 18, 2015 at 10:48 AM, Fadi Abdin
> > >> >> <fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>>
> > >> >> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>>>>
> > >> >> wrote:
> > >> >>
> > >> >> I'm still working on it :( .. i had to give
> the network
> > >> >> guys few ip
> > >> >> addresses to whitelist so i can mvn install
> .. ...
> > >> almost
> > >> >> there.
> > >> >>
> > >> >> On Tue, Aug 18, 2015 at 9:46 AM, Marc Savy
> > >> >> <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>> wrote:
> > >> >>
> > >> >> My pleasure! Did it work?
> > >> >>
> > >> >> On 17/08/2015 16:38, Fadi Abdin wrote:
> > >> >>
> > >> >> cool .. you're the man ;)
> > >> >>
> > >> >>
> > >> >> On Mon, Aug 17, 2015 at 11:37 AM,
> Marc Savy
> > >> >> <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>>
> > >> >> wrote:
> > >> >>
> > >> >> I'm actually testing the fix
> right now. It
> > >> >> will land
> > >> >> both on the 1.2.x
> > >> >> branch and the 1.1.x branch
> shortly. You
> > >> >> should be able
> > >> >> to test it out
> > >> >> in a short while: I'll send you
> an email
> > >> >> when it's
> > >> >> available.
> > >> >>
> > >> >> On 17/08/2015 16:23, Fadi Abdin
> wrote:
> > >> >>
> > >> >> Thank you Marc,
> > >> >> Is there a work around that
> you can
> > >> >> think of ?
> > >> >> I'm doing it with angularjs
> , very
> > >> >> simple
> > >> >>
> > >> >> $http({method: 'GET', url:
> > >> >> 'http://server/apiman-gateway/service',
> > >> >> headers: {
> > >> >> 'Authorization': 'Bearer
> > >> >> XXXXXXXXXXXXX'}
> > >> >> });
> > >> >>
> > >> >> I assume you will fix it in
> the new
> > >> >> version , right?
> > >> >>
> > >> >>
> > >> >>
> > >> >> On Mon, Aug 17, 2015 at
> 10:52 AM, Marc
> > >> >> Savy
> > >> >> <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>>> wrote:
> > >> >>
> > >> >> Hi,
> > >> >>
> > >> >> This is related to the
> JIRA I
> > >> linked
> > >> >> you to
> > >> >>
> > >> >> (https://issues.jboss.org/browse/APIMAN-516).
> > >> >> Because of
> > >> >> the way the
> > >> >> policy chain currently
> works the
> > >> >> behaviour of
> > >> >> CORS is
> > >> >> invalid in a
> > >> >> few very specific cases
> (e.g.
> > >> when
> > >> >> you stack
> > >> >> it with an auth
> > >> >> policy). I'll let you
> know when
> > >> it's
> > >> >> fixed.
> > >> >>
> > >> >> Regards,
> > >> >> Marc
> > >> >>
> > >> >> On 17/08/2015 15:44,
> Fadi Abdin
> > >> >> wrote:
> > >> >>
> > >> >> I have a problem in
> calling a
> > >> >> service in
> > >> >> apiman-gateway
> > >> >> with the
> > >> >> Authorization: Bearer
> > >> <token> in
> > >> >> the header.
> > >> >>
> > >> >> It seems to
> preflight OPTIONS
> > >> >> and
> > >> >> return
> > >> >>
> > >> >> 1.
> > >> >>
> > >> X-Policy-Failure-Message:
> > >> >> OAuth2
> 'Authorization'
> > >> >> header or
> > >> >> 'access_token' query
> > >> >> parameter must
> > >> >> be provided.
> > >> >>
> > >> >> I am sending the
> bearer token
> > >> >> with the
> > >> >> request and i
> > >> >> make sure
> > >> >> in the
> > >> >> preflight its sent
> in the
> > >> >> request.
> > >> >>
> > >> >> 1.
> > >> >>
> > >> >> Access-Control-Request-Headers:
> > >> >> accept,
> authorization
> > >> >>
> > >> >> Does anyone know if
> there Is
> > >> >> something i'm
> > >> >> missing ?
> > >> >> do i need
> > >> >> to get
> > >> >> authorization
> enabled or
> > >> added
> > >> >> anywhere ?
> > >> >> as a side
> > >> >> note i have
> > >> >> below in
> > >> >> my api as well:
> > >> >>
> > >> >>
> > >> >>
> > >> >> response.setHeader("Access-Control-Allow-Headers",
> > >> >> "Authorization");
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> _______________________________________________
> > >> >> Apiman-user mailing
> list
> > >> >> Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>>>
> > >> >> https://lists.jboss.org/mailman/listinfo/apiman-user
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >
> > >> > _______________________________________________
> > >> > Apiman-user mailing list
> > >> > Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
> > >> > https://lists.jboss.org/mailman/listinfo/apiman-user
> > >> >
> > >
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
>
More information about the Apiman-user
mailing list