topic OPTIONS Request returning 401 in Alfresco Archive

OPTIONS Request returning 401

jhahn — Tue, 24 Feb 2015 08:24:13 GMT

HiI'm using 5.17.0 and after we upgraded from 5.15.1, we are seeing issues with CORS.Basically our front-end hits activiti-rest via javascript (temporary, we will have our own service later) which means we need to have CORS set up. However, I think the OPTIONS pre-flight request browsers make is get

Re: OPTIONS Request returning 401

jhahn — Tue, 24 Feb 2015 08:36:51 GMT

Actually, probably prefer the option 1… ignore option 2 haha

Re: OPTIONS Request returning 401

b_schnarr — Tue, 24 Feb 2015 11:18:36 GMT

I can confirm this problem. With 5.16-Snapshot (without Spring Security), CORS worked very well with the build in Tomcat CORS-Filter. Since we upgraded to 5.17, the OPTIONS-Request fails with 401 because custom Authorization headers are not included in the request although they are configured as "allowed-headers" and "exposed-headers" in the Tomcat-CORS Filter

Is there any idea how to solve this?

Re: OPTIONS Request returning 401

trademak — Tue, 24 Feb 2015 19:28:39 GMT

CORS can be configured for Spring Security so you would need to change the SecurityConfiguration of the REST web app.

Best regards,

Re: OPTIONS Request returning 401

b_schnarr — Tue, 24 Feb 2015 20:06:25 GMT

I googled a lot and even the official Spring documentation says that a CORS-Filter is enough : https://spring.io/guides/gs/rest-service-cors/

And this filter is provided by the Tomcat. Therefore, which configuration in SpringConfiguration do you mean?

Best regards
Ben

Re: OPTIONS Request returning 401

trademak — Tue, 24 Feb 2015 20:16:38 GMT

Hi Ben,

Thanks for the link. Are you able to invoke a CORS GET request on for example the GET process definitions REST service?
Do you see the Tomcat CORS filter headers being added to the response?

Best regards,

Re: OPTIONS Request returning 401

b_schnarr — Tue, 24 Feb 2015 20:24:33 GMT

Hi Tijs,

I am not able to invoke a GET request because the OPTIONS-Request sent before already fails with 401. The CORS headers are not attached. Therefore, I wrote my own CORS-Filter which adds the needed Allow-Origin-Header and other CORS headers, but I still get a 401 during the OPTIONS request. I think this issue is also important for the guys programming the AngularJS Frontend.
To summarize: CORS worked with the configured Tomcat CORS Filter in 5.16. That is why I know that my CORS configuration works in general. But no idea why the OPTIONS-Request fails with Spring Security.

Do you have an idea?

Re: OPTIONS Request returning 401

jhahn — Tue, 24 Feb 2015 20:38:11 GMT

Think this might be what we're looking for. Will try it out in few hours
http://stackoverflow.com/questions/21696592/disable-spring-security-for-options-http-method

@Override
protected void configure(HttpSecurity http) throws Exception
{
     http
    .csrf().disable()
    .authorizeRequests()
      .antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()//allow CORS option calls
      .antMatchers("/resources/**").permitAll()
      .anyRequest().authenticated()
    .and()
    .formLogin()
    .and()
    .httpBasic();
}

Re: OPTIONS Request returning 401

jhahn — Wed, 25 Feb 2015 07:01:21 GMT

So adding the

.antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()//allow CORS option calls

line did solve the 401 response. I'm still have trouble with CORS though, it still somehow thinks it's invalid…

I added the following but it's still not working.. argh…

public class CorsFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

     response.setHeader("Access-Control-Allow-Origin", "*");
        if (request.getHeader("Access-Control-Request-Method") != null
                && "OPTIONS".equals(request.getMethod())) {
            // CORS "pre-flight" request
            response.setHeader("Access-Control-Allow-Credentials",
              "true");
            response.setHeader("Access-Control-Allow-Methods",
                    "GET, POST, PUT, DELETE");
            response.setHeader("Access-Control-Allow-Headers",
                    "X-Requested-With,Origin,Content-Type, Accept, Authorization");
   response.setHeader("Access-Control-Max-Age",
     "100");
        }

        filterChain.doFilter(request, response);
    }

}

Re: OPTIONS Request returning 401

b_schnarr — Wed, 25 Feb 2015 08:07:32 GMT

jhahn, for me, adding <code>.antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()</code> still leads to a 404 in the Options-Request for me. Which /path/to/allow did you use?
How did you configure your own CORS-Filter so that it gets triggered before all other filters in the chain?

Re: OPTIONS Request returning 401

jhahn — Wed, 25 Feb 2015 18:31:21 GMT

I added

.antMatchers(HttpMethod.OPTIONS,"**").permitAll()

to be exact. ** will let any path be permitted.

I created a CorsFilter class and then updated my SecurityConfiguration class to be (look at 2nd class)

      http
.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class)
     .authenticationProvider(authenticationProvider())
     .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
     .csrf().disable()
     .authorizeRequests()
       .antMatchers(HttpMethod.OPTIONS, "**").permitAll()//allow CORS option calls
       .anyRequest().authenticated()
       .and()
     .httpBasic();

Re: OPTIONS Request returning 401

b_schnarr — Wed, 25 Feb 2015 18:59:08 GMT

Thanks. I will try this tomorrow. You wrote that it is still not working. What error do you get?

Re: OPTIONS Request returning 401

jhahn — Wed, 25 Feb 2015 19:03:45 GMT

Hi,

The OPTION request would get a 200 but the browser would not make a subsequent request.
But I tested on a different server last night with the same configuration and it worked so it might just be a different issue for me.

Re: OPTIONS Request returning 401

jhahn — Wed, 25 Feb 2015 21:06:38 GMT

Yeah, confirmed that it's working now. Yay

Re: OPTIONS Request returning 401

b_schnarr — Wed, 25 Feb 2015 21:58:37 GMT

I can confirm that your solution is working. Thanks a lot for this hint!

Re: OPTIONS Request returning 401

hernangarcia — Mon, 06 Jun 2016 22:32:11 GMT

Hello guys, I am having a problem that might be related to this. I am not getting a 401 error but a 200 response for the OPTIONS request but it seems spring is not letting the actual GET request pass through.

This is my scenario:

I am exposing an API running in tomcat over ssl in sub.domain.com. The API was developed using spring.

I am hitting the API from a client app in domain.com.

I have enabled CORS in tomcat with the following filter:

<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
</init-param>
<init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>ip,sessiontoken,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Last-Modified,Authorization</param-v$
</init-param>
<init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
</init-param>
<init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>60</param-value>
</init-param></filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

—-

In cors.allowed.headers you can see ip and sessiontoken. These are the custom headers I am using.

In the client side, this is the call I am using:

$.ajax({
            type: "GET",
            dataType: "json",
            url: server + apiEnpoint,
            async: false,
            headers: {
                "sessionToken": "XXXXXXXXXXXXXX"
            },

——

This is the second request to the API. The first one which is a login request (username, password) gets through without problem. Then I call an authenticated method to retrieve user data (the previous JS).

As you can see in the image below, the server response to the preflight request is 200. But the required headers to continue with the actual request are not sent over.

http://i.stack.imgur.com/kAVDz.png

in tomcat when priting the headers sent with that request:

ERROR: org.springframework.security.authentication.AuthenticationManager - org.apache.tomcat.util.http.ValuesEnumerator@65beb190
ERROR: org.springframework.security.authentication.AuthenticationManager - host:sub.domain.com
ERROR: org.springframework.security.authentication.AuthenticationManager - user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0
ERROR: org.springframework.security.authentication.AuthenticationManager - accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ERROR: org.springframework.security.authentication.AuthenticationManager - accept-language:en-US,en;q=0.5
ERROR: org.springframework.security.authentication.AuthenticationManager - accept-encoding:gzip, deflate, br
ERROR: org.springframework.security.authentication.AuthenticationManager - access-control-request-method:GET
ERROR: org.springframework.security.authentication.AuthenticationManager - access-control-request-headers:sessiontoken
ERROR: org.springframework.security.authentication.AuthenticationManager - origin:https://citywallet.net
ERROR: org.springframework.security.authentication.AuthenticationManager - connection:keep-alive
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1de0bff9, returned: -1
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)

I have follow docs here: http://docs.spring.io/autorepo/docs/spring/4.2.x/spring-framework-reference/html/cors.html and XMLHttpRequest cors https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

But still not success.

Can you guide me in the right direction? Thanks a lot!!!

Re: OPTIONS Request returning 401

hernangarcia — Tue, 07 Jun 2016 01:31:36 GMT

Hello Jhahn, I am experiencing this very same issue. Can you please see my explanation in the link below and let me know how you fixed it?

https://forums.activiti.org/content/options-request-returning-401#comment-35417

Thanks a lot!!!