[Apiman-user] How to solve the conflict about CORS and the X-API-Key in header?

Eric Wittmann eric.wittmann at redhat.com
Mon Oct 2 13:37:28 EDT 2017


Just to be clear - if X-API-Key is added as an allowed CORS header in the
CORS plugin configuration, does that solve the issue?

-Eric


On Mon, Oct 2, 2017 at 1:17 PM, Celso Agra <celso.agra at gmail.com> wrote:

> So, there is no prob to pass as query param!
>
> Thanks Marc
>
> Best Regards,
>
> Celso Agra
>
> 2017-10-02 13:49 GMT-03:00 Marc Savy <marc.savy at redhat.com>:
>
>> Hi Celso,
>>
>> The query string is encrypted with SSL/TLS.
>>
>> Regards,
>> Marc
>>
>> On 2 October 2017 at 17:40, Celso Agra <celso.agra at gmail.com> wrote:
>>
>>> Yeah! It is! My concern is because I'm passing the apiKey as a query
>>> param.
>>>
>>> I don't know if requests works like this in ssl requests, but I believe
>>> that query params can be viewed if you have a sniffer, unlike header params.
>>>
>>> So, I'm probably have to allow X-API-Key header in Apiman requests.
>>> Would be possible to add this feature in a plugin or maybe in the Apiman?
>>> I'll take a look in some classes to know how to do that.
>>>
>>> I'd like to know if it is a feature that will contribute with the
>>> project.
>>>
>>> Thanks for your answer Marc.
>>>
>>> Best Regards,
>>>
>>> Celso Agra
>>>
>>>
>>> 2017-10-02 9:18 GMT-03:00 Marc Savy <marc.savy at redhat.com>:
>>>
>>>> If I understand your questions correctly: by default CORS does not
>>>> allow any custom headers to be sent in the request. This means that Apiman
>>>> does not receive the X-API-Key header and necessarily can't figure out how
>>>> to route the request. The same CORS restriction does not exist with query
>>>> parameters so if you provide it with the query param you'll be okay.
>>>>
>>>> Perhaps a (partial) solution to some of these kinds of CORS issues is
>>>> for Apiman to always indicate that the X-API-Key header is allowed.
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>> On 27 September 2017 at 05:35, Celso Agra <celso.agra at gmail.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I got some errors with CORS plugin when I try to use my API with a
>>>>> contract.
>>>>>
>>>>> So, I consume my API passing info through header, such as:
>>>>> Authorization, Content-Type, and X-API-Key.
>>>>> I'm talking about a javascript application. So, CORS is a problem for
>>>>> that language.
>>>>>
>>>>> When I configure my contract to allow Cross-Origin, the error still
>>>>> there, but if I put my X-API-Key, as a query parameter, the CORS works fine.
>>>>> Does anyone could help me to understand that?
>>>>>
>>>>> I'm concerned to pass my contract as a query parameter. It should be
>>>>> on Header of my Http Request.
>>>>> Please, help me to understand if it is a behaviour of the application
>>>>> and how can I solve this without use query param.
>>>>>
>>>>> Best Regards,
>>>>>
>>>>> --
>>>>> ---
>>>>> *Celso Agra*
>>>>>
>>>>> _______________________________________________
>>>>> Apiman-user mailing list
>>>>> Apiman-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> ---
>>> *Celso Agra*
>>>
>>
>>
>
>
> --
> ---
> *Celso Agra*
>
> _______________________________________________
> Apiman-user mailing list
> Apiman-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/apiman-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20171002/73029b7b/attachment.html 


More information about the Apiman-user mailing list