I realized that the HttpExceptionMapper[1]  provided by ag-sec do not work well in a CORS environment when returning a 401 response to the client.

Dan has found the fix by adding CORS headers in the HttpExceptionMapper, we implemented that in a custom class[2] . 

My question is, could we update the HttpExceptionMapper in ag-sec with these extra headers or does that expose any side effects/risks ? 

Or Should we provide just the CORS HttpExceptionMapper variant in ag-sec based on [2] and document that ? 

A JIRA [3] has been created to track this.

Seb

[1] https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java

[2] https://github.com/aerogear/aerogear-push-quickstart-backend/blob/master/src/main/java/org/jboss/aerogear/aerodoc/rest/CorsExceptionHandler.java

[3] https://issues.jboss.org/browse/AGSEC-98