<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">My two cent on below… Sorry if it spams your inbox.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The CORS Policy Preflight request, as per specification has to be a GET request and so if we use APIMan CORS Policy, we have to send the “apiKey” in get Request.
We faced this issue and so sharing our experience (Preflight request was not sending apiKey as we configured in Header).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Agree, sending “apiKey” through GET is not recommended, but this is CORS preflight spec restriction and we have to leave with it. Any thoughts on how APIMan
can help avoid that ? (allow preflight without apiKey on CORS request ?).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> apiman-user-bounces@lists.jboss.org [mailto:apiman-user-bounces@lists.jboss.org]
<b>On Behalf Of </b>Marc Savy<br>
<b>Sent:</b> Wednesday, December 19, 2018 01:42<br>
<b>To:</b> Renato Barros<br>
<b>Cc:</b> apiman-user@lists.jboss.org<br>
<b>Subject:</b> Re: [Apiman-user] APIMan return error 400 for header Access-Control-Request-Method<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">No problem, glad we cleared it up!<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 17:55, Renato Barros <<a href="mailto:renalexster@gmail.com">renalexster@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Sorry Marc,<br>
<br>
I misunderstood the concept of CORS and the plugin. My APIs are already prepared to use CORS requests. So that, I even don't need to create a CORS Policy in the APIMan.<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 14:29, Renato Barros <<a href="mailto:renalexster@gmail.com" target="_blank">renalexster@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Thanks for your reply Marc,<br>
<br>
About the OPTIONS request: It results from the preflight request, so it's not the real request. My frontend is attempting to do a POST request. However, before this, a preflight is sent to the server automatically. The matter is
<u>The Preflight Request Fails</u><o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The POST request works.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
My question is: Is there some problem with my CORS Policy? Should I disable (turn False) Terminate on Cors Error? Or It's the result of some CORS plugin problem?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 14:04, Marc Savy <<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<div>
<p class="MsoNormal">Just to confirm: the purpose of the CORS plugin is to provide a CORS frontend to a service which does not currently have CORS. It is not to bypass CORS on a backend service that *already* has CORS. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">I believe you may be misunderstanding how the CORS protocol works.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">From my recollection, if you are doing a non-simple request (such as yours), then you must execute a preflight request first (which is a special type of OPTIONS request --
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests" target="_blank">
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests</a>). <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The browser first executes the preflight request, THEN it separately and subsequently executes the real request. So, if you were attempting to execute an OPTIONS request then you would execute 2 separate calls. This is done on your behalf
transparently by the browser.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The 'real' call is approved by virtue of the preflight request, and does not require the CORS headers you're including (which make it look like a preflight request).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Please see: <a href="https://mdn.mozillademos.org/files/16401/preflight_.png" target="_blank">https://mdn.mozillademos.org/files/16401/preflight_.png</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you are doing a *simple* request, as per the CORS specification, then no preflight is required and you embed the headers in the 'real' request as your samples show.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Does this resolve your issue?<o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 12:59, Renato Barros <<a href="mailto:renalexster@gmail.com" target="_blank">renalexster@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Hello Marc,<br>
<br>
I don't think the problem is associated with <b>Access-Control-Allow-Origin</b>. Below there are two requests using Restlet Client, the first one works without the
<b>Header Access-Controle-Request-Method</b>, the second only adding this Header gets fail.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 09:40, Marc Savy <<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">I think your issue might be the way that you're formulating your request.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In order to issue a valid CORS request, you must set your origin header. You should probably try that first.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin" target="_blank">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">e.g. curl ... -H "Origin: mymachine.local" <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">When using a browser, this is usually issued on your behalf. But, if you're using curl, it won't be.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 12:35, Renato Barros <<a href="mailto:renalexster@gmail.com" target="_blank">renalexster@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Hi Marc,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I've just updated the image with details. The Access-Control-Allow-Origin already had "*" as value.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, 18 Dec 2018 at 05:50, Marc Savy <<a href="mailto:marc.savy@redhat.com" target="_blank">marc.savy@redhat.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">I'm not sure why your browser isn't rendering it, but there should be a list in the Access-Control-Allow-Origin section that would allow you to add an entry such as "*" or "<a href="http://foo.com" target="_blank">foo.com</a>".<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What is your setup? <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Mon, 17 Dec 2018 at 19:10, Renato Barros <<a href="mailto:renalexster@gmail.com" target="_blank">renalexster@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<p class="MsoNormal">Hello all,<br>
<br>
I'm getting an error with <b>Access-Control-Request-Method</b> Header in my APIs.<br>
<br>
I posted details in <a href="https://stackoverflow.com/questions/53821510/apiman-return-error-400-for-header-access-control-request-method" target="_blank">
StackOverflow</a>. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Please, someone could help me?<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Apiman-user mailing list<br>
<a href="mailto:Apiman-user@lists.jboss.org" target="_blank">Apiman-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/apiman-user" target="_blank">https://lists.jboss.org/mailman/listinfo/apiman-user</a><o:p></o:p></p>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
<font size="4" face="ArialNarrow" color="#008000">Accept the Challenge. Go Paperless
</font>
</body>
</html>