The authorization header seems got cut off .. here is it attached On Wed, Aug 19, 2015 at 1:20 PM, Fadi Abdin <fadiabdeen(a)gmail.com <mailto:fadiabdeen@gmail.com>> wrote: Hey Marc, Still no luck :( , i just got a fresh setup : XMLHttpRequest cannot load http://localhost:8080/apiman-gateway/express/testcors/1.0. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://fadiabdeen.github.io' is therefore not allowed access. The response had HTTP status code 403. Here is snapshots .. is there anything you see wrong ? 1. Remote Address: 127.0.0.1:8080 <http://127.0.0.1:8080> 2. Request URL: http://localhost:8080/apiman-gateway/express/testcors/1.0 3. Request Method: OPTIONS 4. Status Code: 403 Forbidden 1. Response Headersview source 1. Access-Control-Max-Age: 0 2. Connection: keep-alive 3. Content-Length: 149 4. Content-Type: application/json 5. Date: Wed, 19 Aug 2015 17:15:34 GMT 6. Server: WildFly/8 7. X-Policy-Failure-Code: 400 8. X-Policy-Failure-Message: CORS: Requested header not allowed 9. X-Policy-Failure-Type: Authorization 10. X-Powered-By: Undertow/1 2. Request Headersview source 1. Accept: */* 2. Accept-Encoding: gzip, deflate, sdch 3. Accept-Language: en-US,en;q=0.8,ar;q=0.6 4. Access-Control-Request-Headers: accept, authorization 5. Access-Control-Request-Method: GET 6. Connection: keep-alive 7. Host: localhost:8080 8. Origin: http://fadiabdeen.github.io 9. Referer: http://fadiabdeen.github.io/keycloak-oauth/public_html/?code=P9o9yTC1ZiZQ... 10. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 Name refresh 1.0 ​ On Wed, Aug 19, 2015 at 12:45 PM, Marc Savy <marc.savy(a)redhat.com <mailto:marc.savy@redhat.com>> wrote: In many cases people are using non-browser applications (e.g. mobile, B2B, Java app...) which don't use CORS, so I don't think they are necessarily concomitant in all circumstances. Certainly makes sense to document things if people are unaware. On 19/08/2015 17:36, Fadi Abdin wrote: I think there is no need to relay on the API for the cors since it can be handled in the APIMan , but maybe something need to be indicated that the CORS Plugin must be installed and setup . at least in the UI , and ideally get installed with the Oauth plugin (keycloak) if its not there. On Wed, Aug 19, 2015 at 11:58 AM, Marc Savy <marc.savy(a)redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> wrote: I agree - I don't see any compelling reason to add that kind of complexity for that case. I'm willing to be convinced, though. On 19/08/2015 16:55, Eric Wittmann wrote: > That is exactly what I was getting at. If you have apiman performing > authentication, then apiman MUST ALSO perform CORS for you. Specifically > for the reason you say: we don't want to skip authentication for > OPTIONS requests. > > That said, we *could* add another option to all the authentication > policies, allowing auth to be skipped for specific VERBs. That could be > a reasonable feature. I don't think I'm in favor of it though. > > Instead, CORS functionality should be moved out of the back-end system > and handled in apiman. > > -Eric > > On 8/19/2015 11:23 AM, Marc Savy wrote: > > I think case being suggested here is slightly different - > > > > This is one where someone has selected an Auth policy on the gateway, > > but *not* a CORS policy - instead their back-end service supports CORS > > and they want the service to handle the preflight request directly. > > Should we pipeline the CORS preflight request through to the backend in > > that case (i.e. bypass auth)? I'd say no, probably. > > > > Perhaps that's what you were getting at already! > > > > On 19/08/2015 14:16, Eric Wittmann wrote: > >> I think that if apiman is being asked to do Authentication *and* CORS is > >> required by the client, then apiman will have to do both. > >> > >> I think that's desirable anyway - it allows the back end service > >> implementation to not worry about supporting CORS. It's a win-win. > >> > >> -Eric > >> > >> On 8/19/2015 9:09 AM, Marc Savy wrote: > >> > What you're doing will always require a CORS preflight request (due to > >> > the non-simple headers), and I'm not sure it makes sense for us as an > >> > API gateway to funnel through CORS Preflight requests to the service > >> > by default. It complicates things when you start thinking about > >> > metering, security, etc. > >> > > >> > Eric, what do you think? > >> > > >> > On 19/08/2015 14:02, Fadi Abdin wrote: > >> >> So what it seems like is that we have to use CORS Policy and add it > >> >> before the Keycloak authentication policy in order for my > >> preflight to > >> >> pass .. thats the part i was missing completely . i'm not sure if its > >> >> should be considered a bug or flexibility to do what we want .. But > >> >> thanks for the explaination Marc. > >> >> > >> >> Anyway .. i'm still having a problem with CORS Policy, probably I > >> just > >> >> dont have the latest code. i added some details to the JIRA ticket > >> >> > >> >> On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy <marc.savy(a)redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>> wrote: > >> >> > >> >> I replicated your set up as far as I could, and I couldn't > >> >> replicate > >> >> your issue (perhaps your CORS setup is wrong?). Please see the > >> JIRA > >> >> comments and screenshots - > >> >> https://issues.jboss.org/browse/APIMAN-516 > >> >> > >> >> Either way, I also fixed a bug unrelated to your problem, so > >> please > >> >> re-build the plugins before trying again :-). > >> >> > >> >> On 18/08/2015 19:25, Fadi Abdin wrote: > >> >> > >> >> It did not work . > >> >> > >> >> I setup everything they way you told me Marc and i'm > >> testing it > >> >> on my > >> >> local. > >> >> It seems its sending that preflight OPTIONS and coming back > >> >> with > >> >> 401 still > >> >> > >> >> On Tue, Aug 18, 2015 at 10:48 AM, Fadi Abdin > >> >> <fadiabdeen(a)gmail.com <mailto:fadiabdeen@gmail.com> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com>> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com>>> > >> >> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com>> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com> <mailto:fadiabdeen@gmail.com <mailto:fadiabdeen@gmail.com>>>>> > >> >> wrote: > >> >> > >> >> I'm still working on it :( .. i had to give the network > >> >> guys few ip > >> >> addresses to whitelist so i can mvn install .. ... > >> almost > >> >> there. > >> >> > >> >> On Tue, Aug 18, 2015 at 9:46 AM, Marc Savy > >> >> <marc.savy(a)redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>>> wrote: > >> >> > >> >> My pleasure! Did it work? > >> >> > >> >> On 17/08/2015 16:38, Fadi Abdin wrote: > >> >> > >> >> cool .. you're the man ;) > >> >> > >> >> > >> >> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy > >> >> <marc.savy(a)redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>>>> > >> >> wrote: > >> >> > >> >> I'm actually testing the fix right now. It > >> >> will land > >> >> both on the 1.2.x > >> >> branch and the 1.1.x branch shortly. You > >> >> should be able > >> >> to test it out > >> >> in a short while: I'll send you an email > >> >> when it's > >> >> available. > >> >> > >> >> On 17/08/2015 16:23, Fadi Abdin wrote: > >> >> > >> >> Thank you Marc, > >> >> Is there a work around that you can > >> >> think of ? > >> >> I'm doing it with angularjs , very > >> >> simple > >> >> > >> >> $http({method: 'GET', url: > >> >> 'http://server/apiman-gateway/service', > >> >> headers: { > >> >> 'Authorization': 'Bearer > >> >> XXXXXXXXXXXXX'} > >> >> }); > >> >> > >> >> I assume you will fix it in the new > >> >> version , right? > >> >> > >> >> > >> >> > >> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc > >> >> Savy > >> >> <marc.savy(a)redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>> > >> >> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>>>>> wrote: > >> >> > >> >> Hi, > >> >> > >> >> This is related to the JIRA I > >> linked > >> >> you to > >> >> > >> >> (https://issues.jboss.org/browse/APIMAN-516). > >> >> Because of > >> >> the way the > >> >> policy chain currently works the > >> >> behaviour of > >> >> CORS is > >> >> invalid in a > >> >> few very specific cases (e.g. > >> when > >> >> you stack > >> >> it with an auth > >> >> policy). I'll let you know when > >> it's > >> >> fixed. > >> >> > >> >> Regards, > >> >> Marc > >> >> > >> >> On 17/08/2015 15:44, Fadi Abdin > >> >> wrote: > >> >> > >> >> I have a problem in calling a > >> >> service in > >> >> apiman-gateway > >> >> with the > >> >> Authorization: Bearer > >> <token> in > >> >> the header. > >> >> > >> >> It seems to preflight OPTIONS > >> >> and > >> >> return > >> >> > >> >> 1. > >> >> > >> X-Policy-Failure-Message: > >> >> OAuth2 'Authorization' > >> >> header or > >> >> 'access_token' query > >> >> parameter must > >> >> be provided. > >> >> > >> >> I am sending the bearer token > >> >> with the > >> >> request and i > >> >> make sure > >> >> in the > >> >> preflight its sent in the > >> >> request. > >> >> > >> >> 1. > >> >> > >> >> Access-Control-Request-Headers: > >> >> accept, authorization > >> >> > >> >> Does anyone know if there Is > >> >> something i'm > >> >> missing ? > >> >> do i need > >> >> to get > >> >> authorization enabled or > >> added > >> >> anywhere ? > >> >> as a side > >> >> note i have > >> >> below in > >> >> my api as well: > >> >> > >> >> > >> >> > >> >> response.setHeader("Access-Control-Allow-Headers", > >> >> "Authorization"); > >> >> > >> >> > >> >> > >> >> > >> _______________________________________________ > >> >> Apiman-user mailing list > >> >> Apiman-user(a)lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> >> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>>>>>> > >> >> https://lists.jboss.org/mailman/listinfo/apiman-user > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> > > >> > _______________________________________________ > >> > Apiman-user mailing list > >> > Apiman-user(a)lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> > >> > https://lists.jboss.org/mailman/listinfo/apiman-user > >> > > > _______________________________________________ Apiman-user mailing list Apiman-user(a)lists.jboss.org <mailto:Apiman-user@lists.jboss.org> <mailto:Apiman-user@lists.jboss.org <mailto:Apiman-user@lists.jboss.org>> https://lists.jboss.org/mailman/listinfo/apiman-user