I'm sure you can do that. I was just being lazy and it was quicker to test this way :)




On 2 August 2013 11:23, Sebastien Blanc <scm.blanc@gmail.com> wrote:
BTW,

Looking at your mapper, I wonder if you could not add that to HttpExceptionMapper class from ag-sec, if it makes sense and not side effects happens (I tried it in a non CORS app and saw no problem) I can do a PR for that on aerogear-security ? 

Seb



On Fri, Aug 2, 2013 at 11:14 AM, Sebastien Blanc <scm.blanc@gmail.com> wrote:
\o/
You're the man ! 
It works, thx you so much ! 



On Fri, Aug 2, 2013 at 11:09 AM, Daniel Bevenius <daniel.bevenius@gmail.com> wrote:
I've looked into this and I think the cause is that the HttpExceptionMapper does not add CORS headers. I tried to add an ExceptionMapper that does add CORS headers and it will then return a 401 to the browser instead of a failed request.
I've pushed this example to this branch:

Let me know if this fixes the error you were seeing.

/Dan


On 2 August 2013 09:47, Sebastien Blanc <scm.blanc@gmail.com> wrote:



On Fri, Aug 2, 2013 at 9:36 AM, Daniel Bevenius <daniel.bevenius@gmail.com> wrote:
Hey Seb, 

I'm trying to reproduce this but getting a Javascript error which is:
Uncaught ReferenceError: NewLeadController is not defined from aerodoc

Sorry, if you pull now it should be good 


I think I followed the steps above, but I did change the version aerogear.unifiedpush.sender.version to 0.2.1-SNAPSHOT as I did not have 0.2.0-SNAPSHOT. Any ideas about this?

Yes, that is good, though for reproducing this scenario the sender is not used, but yes you can use 0.2.1-SNAPSHOT
 




On 1 August 2013 21:01, Sebastien Blanc <scm.blanc@gmail.com> wrote:

Hi Folks,

I'm facing an issue and I hope you could help me on this.

My app is using ag-sec with  the @secure annotation and Resteasy.

Scenario: hitting secured endpoints without CORS (webapp deployed in the same domain)

When the user has not the role specified by @secure I got an exception, as expected https://gist.github.com/sebastienblanc/6134149

I assume it is because of this https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71 and, perfect, works as designed.

The server returns a nice 401 status to the client.

Testing in a CORS configuration (web client running under another domain)

Same scenario I'm hitting a secure endpoint without having the role needed (BTW the OPTIONS preflights are handled without any errors).

I'm getting the same exception from the server but this time no proper 401 answer sent back to the client, and on client side the request is just canceled.

  1. Reproduce it To repoduce this scenario here are the step :

So, What I'm looking for is to have a normal 401 status sent back to the client when using CORS, maybe someone has some ides about this ?


Regards,

Seb


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev


_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev



_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev