jBoss CORS support with security constraints

萝らか妹 提交于 2019-12-12 15:42:26

问题


I'm adding authentication to my API using the web-common security constraints, but it seems to have broken my CORS filter. I've previously had it working with just the filter and no app server level authentication.

The basic idea is to require authentication on all requests expect those under the /rest/account endpoint, as these are the ones that handle the initial login and so need to be publicly accessible.

Testing in both Chrome and Postman returns a 405 Method not allowed response when the OPTIONS call is made as part of the POST request when trying to login.

Hopefully I've provided everything relevant below but let me know if anything else is needed. Thanks in advance!

My CORS filter

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    <init-param>
        <param-name>cors.supportedMethods</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportedHeaders</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowSubdomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportsCredentials</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

My security constraints

<security-constraint>
    <display-name>WebsiteUsers</display-name>
    <web-resource-collection>
        <web-resource-name>WebsiteAPI</web-resource-name>
        <description/>
        <url-pattern>/rest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Standard User authentication</description>
        <role-name>Users</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Public</web-resource-name>
        <description>Matches a few special endpoints</description>
        <url-pattern>/rest/account/*</url-pattern>
    </web-resource-collection>
    <!-- No auth-constraint means everybody has access! -->
</security-constraint>

回答1:


Try adding <http-method-omission>OPTIONS</http-method-omission> to the protected <web-resource-collection>. This should allow OPTIONS request through to your CORS filter (which would then send back proper Access-Control-Allow-Methods response header).

See https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html

Alternatively (if you need to support servlet spec < 3.0) you could define all the methods that need authentication instead (GET, POST, DELETE, PUT, etc. - except OPTIONS) - using <http-method>



来源:https://stackoverflow.com/questions/34317677/jboss-cors-support-with-security-constraints

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!