[aerogear-dev] [AG-SEC] HttpExceptionMapper and CORS

Sebastien Blanc scm.blanc at gmail.com
Thu Aug 8 01:28:20 EDT 2013 

On Thu, Aug 8, 2013 at 6:55 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> This piece if code will be removed from AGSec
>
> https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java#L37
> because is something very tied to Resteasy.
>

Oh that is great news, that was also a point worrying me a bit  ... so +1

>
> Regarding the issue with CORS, at first glance if we are willing to
> provide it on AGSec we will send extra HTTP headers to every
> unauthorized request. And is impossible to AGSec to cover every corner
> case, because at this point we should be able to distinguish CORS
> request from non CORS to send the correct headers.
>
> In the next releases the dependency with Resteasy will be removed and we
> will have only this block of code
>
> https://github.com/aerogear/aerogear-security/blob/1.1.x/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java#L41
> .
>
>
> I can't see any problems on having it at your project, unless with think
> this is very very high priority, leave it as is and feel free to
> implement your own exception handler.
>
Yes, will do that but in the same time I think we should document that
somewhere, in case someone is facing the same issue. Any idea where would
the best place to doc that ?


>
> Sebastien Blanc wrote:
> > Hi,
> >
> > I realized that the HttpExceptionMapper[1]  provided by ag-sec do not
> > work well in a CORS environment when returning a 401 response to the
> client.
> >
> > Dan has found the fix by adding CORS headers in the HttpExceptionMapper,
> > we implemented that in a custom class[2] .
> >
> > My question is, could we update the HttpExceptionMapper in ag-sec with
> > these extra headers or does that expose any side effects/risks ?
> >
> > Or Should we provide just the CORS HttpExceptionMapper variant in ag-sec
> > based on [2] and document that ?
> >
> > A JIRA [3] has been created to track this.
> >
> > Seb
> >
> >
> >
> >
> > [1]
> https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/exception/HttpExceptionMapper.java
> >
> > [2]
> https://github.com/aerogear/aerogear-push-quickstart-backend/blob/master/src/main/java/org/jboss/aerogear/aerodoc/rest/CorsExceptionHandler.java
> >
> > [3] https://issues.jboss.org/browse/AGSEC-98
> >
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> --
> abstractj
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130808/a83f4c81/attachment.html

More information about the aerogear-dev mailing list