Bypassing authentication for “Options request” (so all headers are sent in the response)

Question

This is in the context of Cross-origin resource sharing. For the preflight request, the server is not sending the headers set. When a valid cookie is not passed with the \"Opti

Answer 1

"LimitExcept" directive solved it. In fact, prior to posting the question I tried the directive, however the mistake earlier was including the first two lines ("Options Includes..." and "Alowoverride...") within the "LimitExcept" block.

<Directory /app1/dir/>      
  Options Includes FollowSymLinks ExecCGI MultiViews
  AllowOverride None
  <LimitExcept OPTIONS>
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
  </LimitExcept> #<- syntax error fixed.
</Directory>

Answer 2

We solved this with different configuration. Below is the snippet from myApplication.conf file at /usr/local/apache/conf/extra

    <Location "/myService">
      SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
      SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
      AuthType Basic
      AuthName "myService"
      AuthUserFile /usr/local/apache/conf/passwd/passwords
      AuthGroupFile /usr/local/apache/conf/passwd/groups
      Require group GroupName
      Order allow,deny
      Allow from env=REDIRECT_noauth
      Satisfy any
   </Location>

So, we can bypass the authentication:

• Based on particular URI, in above example /healthCheck is bypassed

• Based on HTTP method, in above example OPTIONS is bypassed and auth will be prompted for other HTTP methods

Hope it helps someone to resolve the issues.