Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OPTIONS Request returning 401

jhahn
Champ in-the-making
Champ in-the-making

‎02-24-2015 03:24 AM

Hi

I'm using 5.17.0 and after we upgraded from 5.15.1, we are seeing issues with CORS.
Basically our front-end hits activiti-rest via javascript (temporary, we will have our own service later) which means we need to have CORS set up.

However, I think the OPTIONS pre-flight request browsers make is getting a 401 because those pre-flight requests don't send in the authorization header.

My question is,

1. How do I disable that check on OPTIONS?

or

2. How do I disable Authorization check all together?. Our services are internal only and behind strict firewall so we don't have to worry about external security issues.


Labels:
0 Kudos
16 REPLIES 16

jhahn
Champ in-the-making
Champ in-the-making

‎02-25-2015 01:31 PM

I added

.antMatchers(HttpMethod.OPTIONS,"**").permitAll()

to be exact. ** will let any path be permitted.

I created a CorsFilter class and then updated my SecurityConfiguration class to be (look at 2nd class)

      http
  .addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class)
     .authenticationProvider(authenticationProvider())
     .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
     .csrf().disable()
     .authorizeRequests()
       .antMatchers(HttpMethod.OPTIONS, "**").permitAll()//allow CORS option calls
       .anyRequest().authenticated()
       .and()
     .httpBasic();



0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎02-25-2015 01:59 PM

Thanks. I will try this tomorrow. You wrote that it is still not working. What error do you get?
0 Kudos

jhahn
Champ in-the-making
Champ in-the-making

‎02-25-2015 02:03 PM

Hi,

The OPTION request would get a 200 but the browser would not make a subsequent request.
But I tested on a different server last night with the same configuration and it worked so it might just be a different issue for me.
0 Kudos

hernangarcia
Champ in-the-making
Champ in-the-making
In response to jhahn

‎06-06-2016 09:31 PM

Hello Jhahn, I am experiencing this very same issue. Can you please see my explanation in the link below and let me know how you fixed it?

https://forums.activiti.org/content/options-request-returning-401#comment-35417

Thanks a lot!!!
0 Kudos

jhahn
Champ in-the-making
Champ in-the-making

‎02-25-2015 04:06 PM

Yeah, confirmed that it's working now. Yay
0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎02-25-2015 04:58 PM

I can confirm that your solution is working. Thanks a lot for this hint!
0 Kudos

hernangarcia
Champ in-the-making
Champ in-the-making

‎06-06-2016 06:32 PM

Hello guys, I am having a problem that might be related to this. I am not getting a 401 error but a 200 response for the OPTIONS request but it seems spring is not letting the actual GET request pass through.

This is my scenario:

I am exposing an API running in tomcat over ssl in sub.domain.com. The API was developed using spring.

I am hitting the API from a client app in domain.com.

I have enabled CORS in tomcat with the following filter:

<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
</init-param>
<init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>ip,sessiontoken,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Last-Modified,Authorization</param-v$
</init-param>
<init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
</init-param>
<init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>60</param-value>
</init-param></filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

—-

In cors.allowed.headers you can see ip and sessiontoken. These are the custom headers I am using.

In the client side, this is the call I am using:

$.ajax({
            type: "GET",
            dataType: "json",
            url: server + apiEnpoint,
            async: false,
            headers: {
                "sessionToken": "XXXXXXXXXXXXXX"
            },

——

This is the second request to the API. The first one which is a login request (username, password) gets through without problem. Then I call an authenticated method to retrieve user data (the previous JS).

As you can see in the image below, the server response to the preflight request is 200. But the required headers to continue with the actual request are not sent over.

http://i.stack.imgur.com/kAVDz.png

in tomcat when priting the headers sent with that request:

ERROR: org.springframework.security.authentication.AuthenticationManager - org.apache.tomcat.util.http.ValuesEnumerator@65beb190
ERROR: org.springframework.security.authentication.AuthenticationManager - host:sub.domain.com
ERROR: org.springframework.security.authentication.AuthenticationManager - user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0
ERROR: org.springframework.security.authentication.AuthenticationManager - accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ERROR: org.springframework.security.authentication.AuthenticationManager - accept-language:en-US,en;q=0.5
ERROR: org.springframework.security.authentication.AuthenticationManager - accept-encoding:gzip, deflate, br
ERROR: org.springframework.security.authentication.AuthenticationManager - access-control-request-method:GET
ERROR: org.springframework.security.authentication.AuthenticationManager - access-control-request-headers:sessiontoken
ERROR: org.springframework.security.authentication.AuthenticationManager - origin:https://citywallet.net
ERROR: org.springframework.security.authentication.AuthenticationManager - connection:keep-alive
DEBUG: org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@1de0bff9, returned: -1
DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)

I have follow docs here: http://docs.spring.io/autorepo/docs/spring/4.2.x/spring-framework-reference/html/cors.html and XMLHttpRequest cors https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

But still not success.

Can you guide me in the right direction? Thanks a lot!!!
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC