[Apiman-user] CORS
Marc Savy
marc.savy at redhat.com
Wed Aug 19 13:25:39 EDT 2015
The error information implies you need to add 'Accept' as well as 'Authorization' in Access-Control-Allow-Headers
Also ensure GET is allowed in Access-Control-Allow-Methods
That's what I'd infer from the response your browser gave
On 19/08/2015 18:22, Fadi Abdin wrote:
> The authorization header seems got cut off .. here is it attached
>
> On Wed, Aug 19, 2015 at 1:20 PM, Fadi Abdin <fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>> wrote:
>
> Hey Marc,
>
> Still no luck :( , i just got a fresh setup :
>
> XMLHttpRequest cannot load
> http://localhost:8080/apiman-gateway/express/testcors/1.0. No
> 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://fadiabdeen.github.io' is therefore not
> allowed access. The response had HTTP status code 403.
>
> Here is snapshots .. is there anything you see wrong ?
>
>
>
>
>
> 1.
> Remote Address:
> 127.0.0.1:8080 <http://127.0.0.1:8080>
> 2.
> Request URL:
> http://localhost:8080/apiman-gateway/express/testcors/1.0
> 3.
> Request Method:
> OPTIONS
> 4.
> Status Code:
> 403 Forbidden
> 1. Response Headersview source
> 1.
> Access-Control-Max-Age:
> 0
> 2.
> Connection:
> keep-alive
> 3.
> Content-Length:
> 149
> 4.
> Content-Type:
> application/json
> 5.
> Date:
> Wed, 19 Aug 2015 17:15:34 GMT
> 6.
> Server:
> WildFly/8
> 7.
> X-Policy-Failure-Code:
> 400
> 8.
> X-Policy-Failure-Message:
> CORS: Requested header not allowed
> 9.
> X-Policy-Failure-Type:
> Authorization
> 10.
> X-Powered-By:
> Undertow/1
> 2. Request Headersview source
> 1.
> Accept:
> */*
> 2.
> Accept-Encoding:
> gzip, deflate, sdch
> 3.
> Accept-Language:
> en-US,en;q=0.8,ar;q=0.6
> 4.
> Access-Control-Request-Headers:
> accept, authorization
> 5.
> Access-Control-Request-Method:
> GET
> 6.
> Connection:
> keep-alive
> 7.
> Host:
> localhost:8080
> 8.
> Origin:
> http://fadiabdeen.github.io
> 9.
> Referer:
> http://fadiabdeen.github.io/keycloak-oauth/public_html/?code=P9o9yTC1ZiZQvlefHCt-nvRJ-4f72h8iaDgkSLN00aM.66a570dd-0c5d-4862-862a-d26106280de7
> 10.
> User-Agent:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155
> Safari/537.36
>
> Name
>
>
>
>
> refresh
> 1.0
>
>
>
>
>
>
>
>
> On Wed, Aug 19, 2015 at 12:45 PM, Marc Savy <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> wrote:
>
> In many cases people are using non-browser applications (e.g.
> mobile, B2B, Java app...) which don't use CORS, so I don't think
> they are necessarily concomitant in all circumstances.
>
> Certainly makes sense to document things if people are unaware.
>
> On 19/08/2015 17:36, Fadi Abdin wrote:
>
> I think there is no need to relay on the API for the cors
> since it can
> be handled in the APIMan , but maybe something need to be
> indicated that
> the CORS Plugin must be installed and setup . at least in
> the UI , and
> ideally get installed with the Oauth plugin (keycloak) if
> its not there.
>
>
>
> On Wed, Aug 19, 2015 at 11:58 AM, Marc Savy
> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>>
> wrote:
>
> I agree - I don't see any compelling reason to add that
> kind of
> complexity for that case. I'm willing to be convinced,
> though.
>
> On 19/08/2015 16:55, Eric Wittmann wrote:
> > That is exactly what I was getting at. If you have
> apiman performing
> > authentication, then apiman MUST ALSO perform CORS
> for you.
> Specifically
> > for the reason you say: we don't want to skip
> authentication for
> > OPTIONS requests.
> >
> > That said, we *could* add another option to all the
> authentication
> > policies, allowing auth to be skipped for specific
> VERBs. That
> could be
> > a reasonable feature. I don't think I'm in favor of
> it though.
> >
> > Instead, CORS functionality should be moved out of
> the back-end
> system
> > and handled in apiman.
> >
> > -Eric
> >
> > On 8/19/2015 11:23 AM, Marc Savy wrote:
> > > I think case being suggested here is slightly
> different -
> > >
> > > This is one where someone has selected an Auth
> policy on the
> gateway,
> > > but *not* a CORS policy - instead their back-end
> service
> supports CORS
> > > and they want the service to handle the preflight
> request directly.
> > > Should we pipeline the CORS preflight request
> through to the
> backend in
> > > that case (i.e. bypass auth)? I'd say no, probably.
> > >
> > > Perhaps that's what you were getting at already!
> > >
> > > On 19/08/2015 14:16, Eric Wittmann wrote:
> > >> I think that if apiman is being asked to do
> Authentication
> *and* CORS is
> > >> required by the client, then apiman will have to
> do both.
> > >>
> > >> I think that's desirable anyway - it allows the
> back end service
> > >> implementation to not worry about supporting
> CORS. It's a
> win-win.
> > >>
> > >> -Eric
> > >>
> > >> On 8/19/2015 9:09 AM, Marc Savy wrote:
> > >> > What you're doing will always require a CORS
> preflight
> request (due to
> > >> > the non-simple headers), and I'm not sure it
> makes sense for
> us as an
> > >> > API gateway to funnel through CORS Preflight
> requests to the
> service
> > >> > by default. It complicates things when you
> start thinking about
> > >> > metering, security, etc.
> > >> >
> > >> > Eric, what do you think?
> > >> >
> > >> > On 19/08/2015 14:02, Fadi Abdin wrote:
> > >> >> So what it seems like is that we have to use
> CORS Policy
> and add it
> > >> >> before the Keycloak authentication policy in
> order for my
> > >> preflight to
> > >> >> pass .. thats the part i was missing
> completely . i'm not
> sure if its
> > >> >> should be considered a bug or flexibility to
> do what we
> want .. But
> > >> >> thanks for the explaination Marc.
> > >> >>
> > >> >> Anyway .. i'm still having a problem with CORS
> Policy,
> probably I
> > >> just
> > >> >> dont have the latest code. i added some
> details to the JIRA
> ticket
> > >> >>
> > >> >> On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy
> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>> wrote:
> > >> >>
> > >> >> I replicated your set up as far as I
> could, and I couldn't
> > >> >> replicate
> > >> >> your issue (perhaps your CORS setup is
> wrong?). Please
> see the
> > >> JIRA
> > >> >> comments and screenshots -
> > >> >> https://issues.jboss.org/browse/APIMAN-516
> > >> >>
> > >> >> Either way, I also fixed a bug unrelated
> to your
> problem, so
> > >> please
> > >> >> re-build the plugins before trying again :-).
> > >> >>
> > >> >> On 18/08/2015 19:25, Fadi Abdin wrote:
> > >> >>
> > >> >> It did not work .
> > >> >>
> > >> >> I setup everything they way you told
> me Marc and i'm
> > >> testing it
> > >> >> on my
> > >> >> local.
> > >> >> It seems its sending that preflight
> OPTIONS and
> coming back
> > >> >> with
> > >> >> 401 still
> > >> >>
> > >> >> On Tue, Aug 18, 2015 at 10:48 AM,
> Fadi Abdin
> > >> >> <fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>
> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>
> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>>>
> > >> >> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>
> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>
> <mailto:fadiabdeen at gmail.com
> <mailto:fadiabdeen at gmail.com>>>>>
> > >> >> wrote:
> > >> >>
> > >> >> I'm still working on it :( .. i
> had to give
> the network
> > >> >> guys few ip
> > >> >> addresses to whitelist so i can
> mvn install
> .. ...
> > >> almost
> > >> >> there.
> > >> >>
> > >> >> On Tue, Aug 18, 2015 at 9:46 AM,
> Marc Savy
> > >> >> <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>> wrote:
> > >> >>
> > >> >> My pleasure! Did it work?
> > >> >>
> > >> >> On 17/08/2015 16:38, Fadi
> Abdin wrote:
> > >> >>
> > >> >> cool .. you're the man ;)
> > >> >>
> > >> >>
> > >> >> On Mon, Aug 17, 2015 at
> 11:37 AM,
> Marc Savy
> > >> >> <marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>
> > >> >>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>>>
> > >> >> wrote:
> > >> >>
> > >> >> I'm actually
> testing the fix
> right now. It
> > >> >> will land
> > >> >> both on the 1.2.x
> > >> >> branch and the
> 1.1.x branch
> shortly. You
> > >> >> should be able
> > >> >> to test it out
> > >> >> in a short while:
> I'll send you
> an email
> > >> >> when it's
> > >> >> available.
> > >> >>
> > >> >> On 17/08/2015
> 16:23, Fadi Abdin
> wrote:
> > >> >>
> > >> >> Thank you Marc,
> > >> >> Is there a work
> around that
> you can
> > >> >> think of ?
> > >> >> I'm doing it
> with angularjs
> , very
> > >> >> simple
> > >> >>
> > >> >> $http({method:
> 'GET', url:
> > >> >>
> 'http://server/apiman-gateway/service',
> > >> >> headers: {
> > >> >>
> 'Authorization': 'Bearer
> > >> >> XXXXXXXXXXXXX'}
> > >> >> });
> > >> >>
> > >> >> I assume you
> will fix it in
> the new
> > >> >> version , right?
> > >> >>
> > >> >>
> > >> >>
> > >> >> On Mon, Aug 17,
> 2015 at
> 10:52 AM, Marc
> > >> >> Savy
> > >> >>
> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>
> > >> >>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>>
> > >> >>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>
> > >> >>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>
> > >> >>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> > >> >> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>
> <mailto:marc.savy at redhat.com
> <mailto:marc.savy at redhat.com>>>>>>> wrote:
> > >> >>
> > >> >> Hi,
> > >> >>
> > >> >> This is
> related to the
> JIRA I
> > >> linked
> > >> >> you to
> > >> >>
> > >> >>
> (https://issues.jboss.org/browse/APIMAN-516).
> > >> >> Because of
> > >> >> the way the
> > >> >> policy
> chain currently
> works the
> > >> >> behaviour of
> > >> >> CORS is
> > >> >> invalid in a
> > >> >> few very
> specific cases
> (e.g.
> > >> when
> > >> >> you stack
> > >> >> it with an auth
> > >> >> policy).
> I'll let you
> know when
> > >> it's
> > >> >> fixed.
> > >> >>
> > >> >> Regards,
> > >> >> Marc
> > >> >>
> > >> >> On
> 17/08/2015 15:44,
> Fadi Abdin
> > >> >> wrote:
> > >> >>
> > >> >> I have
> a problem in
> calling a
> > >> >> service in
> > >> >> apiman-gateway
> > >> >> with the
> > >> >>
> Authorization: Bearer
> > >> <token> in
> > >> >> the header.
> > >> >>
> > >> >> It
> seems to
> preflight OPTIONS
> > >> >> and
> > >> >> return
> > >> >>
> > >> >> 1.
> > >> >>
> > >> X-Policy-Failure-Message:
> > >> >>
> OAuth2
> 'Authorization'
> > >> >> header or
> > >> >> 'access_token' query
> > >> >>
> parameter must
> > >> >>
> be provided.
> > >> >>
> > >> >> I am
> sending the
> bearer token
> > >> >> with the
> > >> >> request and i
> > >> >> make sure
> > >> >> in the
> > >> >>
> preflight its sent
> in the
> > >> >> request.
> > >> >>
> > >> >> 1.
> > >> >>
> > >> >> Access-Control-Request-Headers:
> > >> >>
> accept,
> authorization
> > >> >>
> > >> >> Does
> anyone know if
> there Is
> > >> >> something i'm
> > >> >> missing ?
> > >> >> do i need
> > >> >> to get
> > >> >>
> authorization
> enabled or
> > >> added
> > >> >> anywhere ?
> > >> >> as a side
> > >> >> note i have
> > >> >> below in
> > >> >> my api
> as well:
> > >> >>
> > >> >>
> > >> >>
> > >> >> response.setHeader("Access-Control-Allow-Headers",
> > >> >> "Authorization");
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> _______________________________________________
> > >> >>
> Apiman-user mailing
> list
> > >> >> Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>
> > >> >>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>>>>>
> > >> >>
> https://lists.jboss.org/mailman/listinfo/apiman-user
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >
> > >> > _______________________________________________
> > >> > Apiman-user mailing list
> > >> > Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> > >> >
> https://lists.jboss.org/mailman/listinfo/apiman-user
> > >> >
> > >
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>
> <mailto:Apiman-user at lists.jboss.org
> <mailto:Apiman-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
>
>
>
>
More information about the Apiman-user
mailing list