Hey Eric / Marc, 

Everything going good so far with the CORS fix but guessing there is something still, or maybe i'm doing something wrong ( it always happened to me ). 

I have setup my CORS Policy in API Man and included "Access-Control-Allow-Methods" : "OPTIONS","GET","POST","DELETE",'PUT". 

But i get a 403 and "CORS: Invalid preflight request; must use OPTIONS verb." on ANY service that is not GET. 

OPTIONS Header : 

    1. Remote Address:
      172.26.209.66:443
    2. Request URL:
      https://dev-internal-api.expdev.local/apiman-gateway/express/integration/1.0/test/methods/post
    3. Request Method:
      OPTIONS
    4. Status Code:
      200 OK
  1. Response Headersview source
    1. Access-Control-Allow-Headers:
      Accept, Authorization, Head
    2. Access-Control-Allow-Methods:
      OPTIONS, GET, POST, DELETE, PUT
    3. Access-Control-Allow-Origin:
      http://localhost:8383
    4. Access-Control-Max-Age:
      0
    5. Connection:
      keep-alive
    6. Date:
      Thu, 27 Aug 2015 18:44:39 GMT
    7. Server:
      WildFly/8
    8. Transfer-Encoding:
      chunked
    9. X-Powered-By:
      Undertow/1
  2. Request Headersview source
    1. Accept:
      */*
    2. Accept-Encoding:
      gzip, deflate, sdch
    3. Accept-Language:
      en-US,en;q=0.8,ar;q=0.6
    4. Access-Control-Request-Headers:
      accept, authorization
    5. Access-Control-Request-Method:
      POST
    6. Cache-Control:
      no-cache
    7. Connection:
      keep-alive
    8. Host:
      dev-internal-api.expdev.local
    9. Origin:
      http://localhost:8383
    10. Pragma:
      no-cache
    11. Referer:
      http://localhost:8383/keycloak-oauth/index.html?code=1SnLPvM2b4cuXeMp3w8s-3ETKBuI7hyPFy6mRs3hMy4.677e4cee-3dd7-4d19-9268-5045d171327
 



POST HEADER 

      1. Remote Address:
      2. Request URL:
      3. Request Method:
        POST
      4. Status Code:
        403 Forbidden
    1. Response Headersview source
      1. Access-Control-Allow-Origin:
      2. Connection:
        keep-alive
      3. Content-Length:
        195
      4. Content-Type:
        application/json
      5. Date:
        Thu, 27 Aug 2015 18:44:39 GMT
      6. Server:
        WildFly/8
      7. X-Policy-Failure-Code:
        400
      8. X-Policy-Failure-Message:
        CORS: Invalid preflight request; must use OPTIONS verb.
      9. X-Policy-Failure-Type:
        Authorization
      10. X-Powered-By:
        Undertow/1
    2. Request Headersview source
      1. Accept:
        application/json, text/plain, */*
      2. Accept-Encoding:
        gzip, deflate
      3. Accept-Language:
        en-US,en;q=0.8,ar;q=0.6
      4. Authorization:
        Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkYTI.................................qoQRgKQ
      5. Cache-Control:
        no-cache
      6. Connection:
        keep-alive
      7. Content-Length:
        0
      8. Host:
        dev-internal-api.expdev.local
      9. Origin:
      10. Pragma:
        no-cache