[Apiman-user] Client App and CORS

Eric Wittmann eric.wittmann at redhat.com
Fri Aug 12 12:08:50 EDT 2016 

The problem with doing that is:  how do we know what app is being used? 
And then, what happens if the CORS policy was configured either on the 
application or on the plan?  Without the API key we won't know what app 
is making the call and we also won't know what plan to use.

Perhaps a better solution is to handle CORS pre-flight requests 
separately?  Before the request ever even reaches the apiman policy 
engine.  It would be a relatively simple thing to implement a 
CorsPreflightOnlyFilter in the servlet implementation of the apiman gateway.

However, isn't there specific pre-flight related information configured 
in the CORS policy itself?  So perhaps a global filter wouldn't work 
well enough (since it wouldn't have information to those config settings).

The best approach *may* be to pass the api key in the URL.

-Eric

On 8/12/2016 11:20 AM, Marc Savy wrote:
> Hi Harry,
>
> As an interim option you can transmit the key as a query parameter
>  instead of a header (e.g. /a/b/c/?apiKey=FOO).
>
> But, I think you're right. As I understand the CORS spec, we should
> always allow an OPTIONS requests to (minimally) enter the policy chain,
> because browsers don't make a CORS preflight request with any custom
> headers (they simply don't transmit them).
>
> Under certain circumstances it might allow a client to hit a backend
> without a key when we don't want it to. Although I imagine the impact of
> this should generally be quite minimal.
>
> Others: Any thoughts?
>
> On 10 August 2016 at 22:45, Harry Trinta <harrytpc at gmail.com
> <mailto:harrytpc at gmail.com>> wrote:
>
>     Dears,
>
>     I've created a "client app" that has a lot of contracts with a lot
>     of APIs.
>
>     I'm having the following problem:
>
>         In Cross-origen, when the browser send a OPTIONS request, it
>         does not send the parameter X-API-Key. Then, the apiman returns
>         a error: "API not public".
>
>
>     Is possible to disable the X-API-Key validation of a "client app"
>     when the request is OPTIONS type?
>
>     Thanks,
>     Harry
>
>     _______________________________________________
>     Apiman-user mailing list
>     Apiman-user at lists.jboss.org <mailto:Apiman-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/apiman-user
>     <https://lists.jboss.org/mailman/listinfo/apiman-user>
>
>
>
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>

More information about the Apiman-user mailing list