[Apiman-user] How to solve the conflict about CORS and the X-API-Key in header?
Celso Agra
celso.agra at gmail.com
Mon Oct 2 14:07:48 EDT 2017
I attached an image. Also I added different kinds of headers, just to pass
in case of "Camel Case" validation
Unfortunately the CORS validation still occurs when I use the plugin...
2017-10-02 15:00 GMT-03:00 Marc Savy <marc.savy at redhat.com>:
> This is from memory, but no, I don't think so: the API key is needed
> before the correct policy chain (including CORS policy) can be
> resolved.
>
> The CORS protocol, when using a custom header, requires a preflight
> request, however the preflight does not allow any custom headers to be
> set, so we can't currently resolve the correct policy chain.
>
> We could think about specifically making X-API-Key available for
> preflight as I think that should always be okay, but I'll have to
> investigate whether there are any downsides.
>
> Of course, we could continue saying to use a query param in that scenario!
>
> On 2 October 2017 at 18:37, Eric Wittmann <eric.wittmann at redhat.com>
> wrote:
> > Just to be clear - if X-API-Key is added as an allowed CORS header in the
> > CORS plugin configuration, does that solve the issue?
> >
> > -Eric
> >
> >
> > On Mon, Oct 2, 2017 at 1:17 PM, Celso Agra <celso.agra at gmail.com> wrote:
> >>
> >> So, there is no prob to pass as query param!
> >>
> >> Thanks Marc
> >>
> >> Best Regards,
> >>
> >> Celso Agra
> >>
> >> 2017-10-02 13:49 GMT-03:00 Marc Savy <marc.savy at redhat.com>:
> >>>
> >>> Hi Celso,
> >>>
> >>> The query string is encrypted with SSL/TLS.
> >>>
> >>> Regards,
> >>> Marc
> >>>
> >>> On 2 October 2017 at 17:40, Celso Agra <celso.agra at gmail.com> wrote:
> >>>>
> >>>> Yeah! It is! My concern is because I'm passing the apiKey as a query
> >>>> param.
> >>>>
> >>>> I don't know if requests works like this in ssl requests, but I
> believe
> >>>> that query params can be viewed if you have a sniffer, unlike header
> params.
> >>>>
> >>>> So, I'm probably have to allow X-API-Key header in Apiman requests.
> >>>> Would be possible to add this feature in a plugin or maybe in the
> Apiman?
> >>>> I'll take a look in some classes to know how to do that.
> >>>>
> >>>> I'd like to know if it is a feature that will contribute with the
> >>>> project.
> >>>>
> >>>> Thanks for your answer Marc.
> >>>>
> >>>> Best Regards,
> >>>>
> >>>> Celso Agra
> >>>>
> >>>>
> >>>> 2017-10-02 9:18 GMT-03:00 Marc Savy <marc.savy at redhat.com>:
> >>>>>
> >>>>> If I understand your questions correctly: by default CORS does not
> >>>>> allow any custom headers to be sent in the request. This means that
> Apiman
> >>>>> does not receive the X-API-Key header and necessarily can't figure
> out how
> >>>>> to route the request. The same CORS restriction does not exist with
> query
> >>>>> parameters so if you provide it with the query param you'll be okay.
> >>>>>
> >>>>> Perhaps a (partial) solution to some of these kinds of CORS issues is
> >>>>> for Apiman to always indicate that the X-API-Key header is allowed.
> >>>>>
> >>>>> Regards,
> >>>>> Marc
> >>>>>
> >>>>> On 27 September 2017 at 05:35, Celso Agra <celso.agra at gmail.com>
> wrote:
> >>>>>>
> >>>>>> Hi all,
> >>>>>>
> >>>>>> I got some errors with CORS plugin when I try to use my API with a
> >>>>>> contract.
> >>>>>>
> >>>>>> So, I consume my API passing info through header, such as:
> >>>>>> Authorization, Content-Type, and X-API-Key.
> >>>>>> I'm talking about a javascript application. So, CORS is a problem
> for
> >>>>>> that language.
> >>>>>>
> >>>>>> When I configure my contract to allow Cross-Origin, the error still
> >>>>>> there, but if I put my X-API-Key, as a query parameter, the CORS
> works fine.
> >>>>>> Does anyone could help me to understand that?
> >>>>>>
> >>>>>> I'm concerned to pass my contract as a query parameter. It should be
> >>>>>> on Header of my Http Request.
> >>>>>> Please, help me to understand if it is a behaviour of the
> application
> >>>>>> and how can I solve this without use query param.
> >>>>>>
> >>>>>> Best Regards,
> >>>>>>
> >>>>>> --
> >>>>>> ---
> >>>>>> Celso Agra
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Apiman-user mailing list
> >>>>>> Apiman-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/apiman-user
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> ---
> >>>> Celso Agra
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >> ---
> >> Celso Agra
> >>
> >> _______________________________________________
> >> Apiman-user mailing list
> >> Apiman-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/apiman-user
> >>
> >
>
--
---
*Celso Agra*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20171002/71b4ed01/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apiman_cors_verify.png
Type: image/png
Size: 25258 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/apiman-user/attachments/20171002/71b4ed01/attachment-0001.png
More information about the Apiman-user
mailing list