Hyland Connect

jhahn · ‎02-24-2015

Hi

I'm using 5.17.0 and after we upgraded from 5.15.1, we are seeing issues with CORS.
Basically our front-end hits activiti-rest via javascript (temporary, we will have our own service later) which means we need to have CORS set up.

However, I think the OPTIONS pre-flight request browsers make is getting a 401 because those pre-flight requests don't send in the authorization header.

My question is,

1. How do I disable that check on OPTIONS?

or

2. How do I disable Authorization check all together?. Our services are internal only and behind strict firewall so we don't have to worry about external security issues.

jhahn · ‎02-24-2015

Actually, probably prefer the option 1… ignore option 2 haha

b_schnarr · ‎02-24-2015

I can confirm this problem. With 5.16-Snapshot (without Spring Security), CORS worked very well with the build in Tomcat CORS-Filter. Since we upgraded to 5.17, the OPTIONS-Request fails with 401 because custom Authorization headers are not included in the request although they are configured as "allowed-headers" and "exposed-headers" in the Tomcat-CORS Filter

Is there any idea how to solve this?

trademak · ‎02-24-2015

CORS can be configured for Spring Security so you would need to change the SecurityConfiguration of the REST web app.

Best regards,

b_schnarr · ‎02-24-2015

I googled a lot and even the official Spring documentation says that a CORS-Filter is enough : https://spring.io/guides/gs/rest-service-cors/

And this filter is provided by the Tomcat. Therefore, which configuration in SpringConfiguration do you mean?

Best regards
Ben

trademak · ‎02-24-2015

Hi Ben,

Thanks for the link. Are you able to invoke a CORS GET request on for example the GET process definitions REST service?
Do you see the Tomcat CORS filter headers being added to the response?

Best regards,

b_schnarr · ‎02-24-2015

Hi Tijs,

I am not able to invoke a GET request because the OPTIONS-Request sent before already fails with 401. The CORS headers are not attached. Therefore, I wrote my own CORS-Filter which adds the needed Allow-Origin-Header and other CORS headers, but I still get a 401 during the OPTIONS request. I think this issue is also important for the guys programming the AngularJS Frontend.
To summarize: CORS worked with the configured Tomcat CORS Filter in 5.16. That is why I know that my CORS configuration works in general. But no idea why the OPTIONS-Request fails with Spring Security.

Do you have an idea?

jhahn · ‎02-24-2015

Think this might be what we're looking for. Will try it out in few hours
http://stackoverflow.com/questions/21696592/disable-spring-security-for-options-http-method

@Override
protected void configure(HttpSecurity http) throws Exception
{
     http
    .csrf().disable()
    .authorizeRequests()
      .antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()//allow CORS option calls
      .antMatchers("/resources/**").permitAll()
      .anyRequest().authenticated()
    .and()
    .formLogin()
    .and()
    .httpBasic();
}

jhahn · ‎02-25-2015

So adding the

.antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()//allow CORS option calls

line did solve the 401 response. I'm still have trouble with CORS though, it still somehow thinks it's invalid…

I added the following but it's still not working.. argh…

public class CorsFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

     response.setHeader("Access-Control-Allow-Origin", "*");
        if (request.getHeader("Access-Control-Request-Method") != null
                && "OPTIONS".equals(request.getMethod())) {
            // CORS "pre-flight" request
            response.setHeader("Access-Control-Allow-Credentials",
              "true");
            response.setHeader("Access-Control-Allow-Methods",
                    "GET, POST, PUT, DELETE");
            response.setHeader("Access-Control-Allow-Headers",
                    "X-Requested-With,Origin,Content-Type, Accept, Authorization");
   response.setHeader("Access-Control-Max-Age",
     "100");
        }

        filterChain.doFilter(request, response);
    }

}

b_schnarr · ‎02-25-2015

jhahn, for me, adding <code>.antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()</code> still leads to a 404 in the Options-Request for me. Which /path/to/allow did you use?
How did you configure your own CORS-Filter so that it gets triggered before all other filters in the chain?

Hyland Connect

OPTIONS Request returning 401