[aerogear-dev] Dealing with secured endpoints and CORS
Daniel Bevenius
daniel.bevenius at gmail.com
Fri Aug 2 03:36:17 EDT 2013
Hey Seb,
I'm trying to reproduce this but getting a Javascript error which is:
Uncaught ReferenceError: NewLeadController is not defined from aerodoc
I think I followed the steps above, but I did change the version
aerogear.unifiedpush.sender.version to 0.2.1-SNAPSHOT as I did not have
0.2.0-SNAPSHOT. Any ideas about this?
On 1 August 2013 21:01, Sebastien Blanc <scm.blanc at gmail.com> wrote:
> Hi Folks,
>
> I'm facing an issue and I hope you could help me on this.
>
> My app is using ag-sec with the @secure annotation and Resteasy.
>
> <https://gist.github.com/sebastienblanc/6133102#scenario-hitting-secured-endpoints-without-cors-webapp-deployed-in-the-same-domain>Scenario:
> hitting secured endpoints without CORS (webapp deployed in the same domain)
>
> When the user has not the role specified by @secure I got an exception, as
> expected https://gist.github.com/sebastienblanc/6134149
>
> I assume it is because of this
> https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71 and,
> perfect, works as designed.
>
> The server returns a nice 401 status to the client.
> <https://gist.github.com/sebastienblanc/6133102#testing-in-a-cors-configuration-web-client-running-under-another-domain>Testing
> in a CORS configuration (web client running under another domain)
>
> Same scenario I'm hitting a secure endpoint without having the role needed
> (BTW the OPTIONS preflights are handled without any errors).
>
> I'm getting the same exception from the server but this time no proper 401
> answer sent back to the client, and on client side the request is just
> canceled.
>
> 1. Reproduce it To repoduce this scenario here are the step :
>
>
> - Clone this branch
> https://github.com/sebastienblanc/aerogear-push-quickstart-backend/tree/cors_tests
> ,mvn clean install , mvn jboss-as:deploy
> -
>
> Clone this branch :
> https://github.com/aerogear/aerogear-push-quickstart-web/tree/AGPUSH-160 and
> deploy it, making sure it's not running on the same port as aerodoc backend
> (for instancepython -m SimpleHTTPServer )
> -
>
> Browse to the simple client (in case you use python webserver it will
> be localhost:8000
> -
>
> Login With maria/123
> -
>
> Refresh the page : you should see the failure on retrieving the /leads
> endpoints.
>
> So, What I'm looking for is to have a normal 401 status sent back to the
> client when using CORS, maybe someone has some ides about this ?
>
>
> Regards,
>
> Seb
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130802/e9302304/attachment-0001.html
More information about the aerogear-dev
mailing list