[Apiman-user] CORS
Marc Savy
marc.savy at redhat.com
Wed Aug 19 11:58:52 EDT 2015
I agree - I don't see any compelling reason to add that kind of complexity for that case. I'm willing to be convinced, though.
On 19/08/2015 16:55, Eric Wittmann wrote:
> That is exactly what I was getting at. If you have apiman performing
> authentication, then apiman MUST ALSO perform CORS for you. Specifically
> for the reason you say: we don't want to skip authentication for
> OPTIONS requests.
>
> That said, we *could* add another option to all the authentication
> policies, allowing auth to be skipped for specific VERBs. That could be
> a reasonable feature. I don't think I'm in favor of it though.
>
> Instead, CORS functionality should be moved out of the back-end system
> and handled in apiman.
>
> -Eric
>
> On 8/19/2015 11:23 AM, Marc Savy wrote:
> > I think case being suggested here is slightly different -
> >
> > This is one where someone has selected an Auth policy on the gateway,
> > but *not* a CORS policy - instead their back-end service supports CORS
> > and they want the service to handle the preflight request directly.
> > Should we pipeline the CORS preflight request through to the backend in
> > that case (i.e. bypass auth)? I'd say no, probably.
> >
> > Perhaps that's what you were getting at already!
> >
> > On 19/08/2015 14:16, Eric Wittmann wrote:
> >> I think that if apiman is being asked to do Authentication *and* CORS is
> >> required by the client, then apiman will have to do both.
> >>
> >> I think that's desirable anyway - it allows the back end service
> >> implementation to not worry about supporting CORS. It's a win-win.
> >>
> >> -Eric
> >>
> >> On 8/19/2015 9:09 AM, Marc Savy wrote:
> >> > What you're doing will always require a CORS preflight request (due to
> >> > the non-simple headers), and I'm not sure it makes sense for us as an
> >> > API gateway to funnel through CORS Preflight requests to the service
> >> > by default. It complicates things when you start thinking about
> >> > metering, security, etc.
> >> >
> >> > Eric, what do you think?
> >> >
> >> > On 19/08/2015 14:02, Fadi Abdin wrote:
> >> >> So what it seems like is that we have to use CORS Policy and add it
> >> >> before the Keycloak authentication policy in order for my
> >> preflight to
> >> >> pass .. thats the part i was missing completely . i'm not sure if its
> >> >> should be considered a bug or flexibility to do what we want .. But
> >> >> thanks for the explaination Marc.
> >> >>
> >> >> Anyway .. i'm still having a problem with CORS Policy, probably I
> >> just
> >> >> dont have the latest code. i added some details to the JIRA ticket
> >> >>
> >> >> On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy <marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>> wrote:
> >> >>
> >> >> I replicated your set up as far as I could, and I couldn't
> >> >> replicate
> >> >> your issue (perhaps your CORS setup is wrong?). Please see the
> >> JIRA
> >> >> comments and screenshots -
> >> >> https://issues.jboss.org/browse/APIMAN-516
> >> >>
> >> >> Either way, I also fixed a bug unrelated to your problem, so
> >> please
> >> >> re-build the plugins before trying again :-).
> >> >>
> >> >> On 18/08/2015 19:25, Fadi Abdin wrote:
> >> >>
> >> >> It did not work .
> >> >>
> >> >> I setup everything they way you told me Marc and i'm
> >> testing it
> >> >> on my
> >> >> local.
> >> >> It seems its sending that preflight OPTIONS and coming back
> >> >> with
> >> >> 401 still
> >> >>
> >> >> On Tue, Aug 18, 2015 at 10:48 AM, Fadi Abdin
> >> >> <fadiabdeen at gmail.com <mailto:fadiabdeen at gmail.com>
> >> >> <mailto:fadiabdeen at gmail.com <mailto:fadiabdeen at gmail.com>>>
> >> >> wrote:
> >> >>
> >> >> I'm still working on it :( .. i had to give the network
> >> >> guys few ip
> >> >> addresses to whitelist so i can mvn install .. ...
> >> almost
> >> >> there.
> >> >>
> >> >> On Tue, Aug 18, 2015 at 9:46 AM, Marc Savy
> >> >> <marc.savy at redhat.com <mailto:marc.savy at redhat.com>
> >> >> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>>> wrote:
> >> >>
> >> >> My pleasure! Did it work?
> >> >>
> >> >> On 17/08/2015 16:38, Fadi Abdin wrote:
> >> >>
> >> >> cool .. you're the man ;)
> >> >>
> >> >>
> >> >> On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy
> >> >> <marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>
> >> >> <mailto:marc.savy at redhat.com <mailto:marc.savy at redhat.com>>
> >> >> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>>>>
> >> >> wrote:
> >> >>
> >> >> I'm actually testing the fix right now. It
> >> >> will land
> >> >> both on the 1.2.x
> >> >> branch and the 1.1.x branch shortly. You
> >> >> should be able
> >> >> to test it out
> >> >> in a short while: I'll send you an email
> >> >> when it's
> >> >> available.
> >> >>
> >> >> On 17/08/2015 16:23, Fadi Abdin wrote:
> >> >>
> >> >> Thank you Marc,
> >> >> Is there a work around that you can
> >> >> think of ?
> >> >> I'm doing it with angularjs , very
> >> >> simple
> >> >>
> >> >> $http({method: 'GET', url:
> >> >> 'http://server/apiman-gateway/service',
> >> >> headers: {
> >> >> 'Authorization': 'Bearer
> >> >> XXXXXXXXXXXXX'}
> >> >> });
> >> >>
> >> >> I assume you will fix it in the new
> >> >> version , right?
> >> >>
> >> >>
> >> >>
> >> >> On Mon, Aug 17, 2015 at 10:52 AM, Marc
> >> >> Savy
> >> >> <marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>>
> >> >> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>>>
> >> >> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>
> >> >> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>
> >> >> <mailto:marc.savy at redhat.com
> >> >> <mailto:marc.savy at redhat.com>>>>> wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> This is related to the JIRA I
> >> linked
> >> >> you to
> >> >>
> >> >> (https://issues.jboss.org/browse/APIMAN-516).
> >> >> Because of
> >> >> the way the
> >> >> policy chain currently works the
> >> >> behaviour of
> >> >> CORS is
> >> >> invalid in a
> >> >> few very specific cases (e.g.
> >> when
> >> >> you stack
> >> >> it with an auth
> >> >> policy). I'll let you know when
> >> it's
> >> >> fixed.
> >> >>
> >> >> Regards,
> >> >> Marc
> >> >>
> >> >> On 17/08/2015 15:44, Fadi Abdin
> >> >> wrote:
> >> >>
> >> >> I have a problem in calling a
> >> >> service in
> >> >> apiman-gateway
> >> >> with the
> >> >> Authorization: Bearer
> >> <token> in
> >> >> the header.
> >> >>
> >> >> It seems to preflight OPTIONS
> >> >> and
> >> >> return
> >> >>
> >> >> 1.
> >> >>
> >> X-Policy-Failure-Message:
> >> >> OAuth2 'Authorization'
> >> >> header or
> >> >> 'access_token' query
> >> >> parameter must
> >> >> be provided.
> >> >>
> >> >> I am sending the bearer token
> >> >> with the
> >> >> request and i
> >> >> make sure
> >> >> in the
> >> >> preflight its sent in the
> >> >> request.
> >> >>
> >> >> 1.
> >> >>
> >> >> Access-Control-Request-Headers:
> >> >> accept, authorization
> >> >>
> >> >> Does anyone know if there Is
> >> >> something i'm
> >> >> missing ?
> >> >> do i need
> >> >> to get
> >> >> authorization enabled or
> >> added
> >> >> anywhere ?
> >> >> as a side
> >> >> note i have
> >> >> below in
> >> >> my api as well:
> >> >>
> >> >>
> >> >>
> >> >> response.setHeader("Access-Control-Allow-Headers",
> >> >> "Authorization");
> >> >>
> >> >>
> >> >>
> >> >>
> >> _______________________________________________
> >> >> Apiman-user mailing list
> >> >> Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>>>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>
> >> >> <mailto:Apiman-user at lists.jboss.org
> >> >> <mailto:Apiman-user at lists.jboss.org>>>>
> >> >> https://lists.jboss.org/mailman/listinfo/apiman-user
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >
> >> > _______________________________________________
> >> > Apiman-user mailing list
> >> > Apiman-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/apiman-user
> >> >
> >
More information about the Apiman-user
mailing list