[Apiman-user] How to solve the conflict about CORS and the X-API-Key in header?

Celso Agra celso.agra at gmail.com
Mon Oct 2 12:40:54 EDT 2017


Yeah! It is! My concern is because I'm passing the apiKey as a query param.

I don't know if requests works like this in ssl requests, but I believe
that query params can be viewed if you have a sniffer, unlike header params.

So, I'm probably have to allow X-API-Key header in Apiman requests. Would
be possible to add this feature in a plugin or maybe in the Apiman? I'll
take a look in some classes to know how to do that.

I'd like to know if it is a feature that will contribute with the project.

Thanks for your answer Marc.

Best Regards,

Celso Agra


2017-10-02 9:18 GMT-03:00 Marc Savy <marc.savy at redhat.com>:

> If I understand your questions correctly: by default CORS does not allow
> any custom headers to be sent in the request. This means that Apiman does
> not receive the X-API-Key header and necessarily can't figure out how to
> route the request. The same CORS restriction does not exist with query
> parameters so if you provide it with the query param you'll be okay.
>
> Perhaps a (partial) solution to some of these kinds of CORS issues is for
> Apiman to always indicate that the X-API-Key header is allowed.
>
> Regards,
> Marc
>
> On 27 September 2017 at 05:35, Celso Agra <celso.agra at gmail.com> wrote:
>
>> Hi all,
>>
>> I got some errors with CORS plugin when I try to use my API with a
>> contract.
>>
>> So, I consume my API passing info through header, such as: Authorization,
>> Content-Type, and X-API-Key.
>> I'm talking about a javascript application. So, CORS is a problem for
>> that language.
>>
>> When I configure my contract to allow Cross-Origin, the error still
>> there, but if I put my X-API-Key, as a query parameter, the CORS works fine.
>> Does anyone could help me to understand that?
>>
>> I'm concerned to pass my contract as a query parameter. It should be on
>> Header of my Http Request.
>> Please, help me to understand if it is a behaviour of the application and
>> how can I solve this without use query param.
>>
>> Best Regards,
>>
>> --
>> ---
>> *Celso Agra*
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>
>>
>


-- 
---
*Celso Agra*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20171002/c3d9caae/attachment.html 


More information about the Apiman-user mailing list