[Apiman-user] 401 on a CORS preflight request
Jairo Junior
junior.jairo1 at gmail.com
Fri Jul 22 11:02:39 EDT 2016
Had to create a new version of my API and re-publish, but it worked.
Thank you.
On Fri, Jul 22, 2016 at 10:59 AM Eric Wittmann <eric.wittmann at redhat.com>
wrote:
> Sure thing! The problem is that the web.xml file in the
> apiman-gateway-api.war web application is too restrictive. This is what
> I mean:
>
>
> https://github.com/apiman/apiman/blob/master/gateway/platforms/war/wildfly8/api/src/main/webapp/WEB-INF/web.xml#L40-L48
>
> That security constraint is too restrictive. The
> <web-resource-collection> should specify which http methods to secure.
> Because it doesn't do this, *all* of the http methods are secured by
> default. Here is an example that does it correctly with respect to CORS:
>
>
> https://github.com/apiman/apiman/blob/master/manager/api/war/wildfly8/src/main/webapp/WEB-INF/web.xml#L74-L82
>
> So here's what you need to do:
>
> 1) unpack WILDFLY/standalone/deployments/apiman-gateway-api.war
> 2) open the WEB-INF/web.xml file in a text editor
> 3) add the following XML markup after line 43:
>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> <http-method>DELETE</http-method>
> <http-method>HEAD</http-method>
>
> 4) save the web.xml changes
> 5) re-zip everything, resulting in a new version of
> apiman-gateway-api.war
> 6) deploy the new version of apiman-gateway-api.war to Wildfly,
> replacing the old version
> 7) start wildfly
> 8) profit!
>
> -Eric
>
> On 7/22/2016 8:23 AM, Jairo Junior wrote:
> > I would like the workaround. =)
> >
> > On Fri, Jul 22, 2016 at 9:15 AM Eric Wittmann <eric.wittmann at redhat.com
> > <mailto:eric.wittmann at redhat.com>> wrote:
> >
> > Thanks for the info. You've hit a bug in apiman, unfortunately. I
> have
> > created a ticket for this bug here:
> >
> > https://issues.jboss.org/browse/APIMAN-1209
> >
> > You can resolve (workaround) this issue locally (without rebuilding
> > apiman) or you can wait for us to fix the bug and release a new
> version.
> > If you would like instructions on how to workaround the bug locally
> > let me know.
> >
> > -Eric
> >
> > On 7/22/2016 7:55 AM, Jairo Junior wrote:
> > > EAP 7.0 + apiman 1.2.7 overlay, but I've also tried with docker
> image
> > > apiman/on-wildfly10:1.2.7.Final
> > >
> > > /apiman-gateway/org/service/1.0 with Keycloak OAuth Policy
> > >
> > > On Fri, Jul 22, 2016 at 8:29 AM Eric Wittmann
> > <eric.wittmann at redhat.com <mailto:eric.wittmann at redhat.com>
> > > <mailto:eric.wittmann at redhat.com
> > <mailto:eric.wittmann at redhat.com>>> wrote:
> > >
> > > Apiman should allow OPTIONS requests without requiring
> > authorization.
> > > What is your setup/configuration (which app server, etc)?
> > Also what
> > > apiman REST endpoints are you trying to access?
> > >
> > > -Eric
> > >
> > > On 7/22/2016 7:22 AM, Jairo Junior wrote:
> > > > I've been trying to setup apiman + keycloak-oauth-plugin +
> > keycloak +
> > > > keycloak.js with a client-side angularjs app and a REST API.
> > It's a
> > > > scenario very similar to
> > > >
> > >
> >
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app
> ,
> > > > but with apiman and CORS.
> > > >
> > > > My test are going well with curl, but using my javascript
> > app the
> > > > browser it is performing a CORS preflight OPTIONS request
> > without
> > > > authorization header.
> > > >
> > > > OPTIONS request works well with authorization header using
> curl,
> > > > therefore, I'm not sure whether the browser should include
> > > authorization
> > > > header or apiman should allows CORS preflight requests
> (OPTIONS)
> > > without
> > > > authorization header.
> > > >
> > > >
> > > > _______________________________________________
> > > > Apiman-user mailing list
> > > > Apiman-user at lists.jboss.org
> > <mailto:Apiman-user at lists.jboss.org>
> > <mailto:Apiman-user at lists.jboss.org
> > <mailto:Apiman-user at lists.jboss.org>>
> > > > https://lists.jboss.org/mailman/listinfo/apiman-user
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160722/cab4e81c/attachment-0001.html
More information about the Apiman-user
mailing list