According to the spec, if auth fails, the request is not forwarded to any filters or servlets. So if just excluding OPTIONs from auth does not work (I think it's worth trying that), then you (or we) need to move CO logic to before filters. Either in a handler or perhaps even a request customiser??
On Mon, 13 May 2019 at 12:10, Gregor Jarisch <[email protected]> wrote: > Hi, > > I am not sure if that will solve my problem entirely. I don't want to > disable authentication for any of the methods (this is what the config > does, if I understood correctly). > Want I need is the CrossOriginFilter to be executed all the time, no > matter if authentication has succeeded or not. > Without the Cors header added to the response, browser blocks the request > all together and thus no prompting the user for credentials. > > Is there a way on how I can achieve this? > > Gregor > > ------ Original Message ------ > From: "Joakim Erdfelt" <[email protected]> > To: "Gregor Jarisch" <[email protected]> > Cc: "JETTY user mailing list" <[email protected]> > Sent: 05/12/2019 5:50:30 PM > Subject: Re: Re[2]: [jetty-users] Basic Authenticator response to OPTIONS > request with 401 > > You'll use the <security-constraint> section in your WEB-INF/web.xml, > specifically the <web-resource-collection> and one of (or a combination of) > the two options <http-method> or <http-method-omission>. > > Here's an example from the Jetty webdefault.xml for disabling TRACE, but > enabling everything other http method. > > <security-constraint> > <web-resource-collection> > <web-resource-name>Disable TRACE</web-resource-name> > <url-pattern>/</url-pattern> > <http-method>TRACE</http-method> > </web-resource-collection> > <auth-constraint/> > </security-constraint> > <security-constraint> > <web-resource-collection> > <web-resource-name>Enable everything but TRACE</web-resource-name> > <url-pattern>/</url-pattern> > <http-method-omission>TRACE</http-method-omission> > </web-resource-collection> > </security-constraint> > > Joakim Erdfelt / [email protected] > > > On Sat, May 11, 2019 at 5:23 AM Gregor Jarisch <[email protected]> wrote: > >> Hi Joakim, >> >> yes, I had the same thought, it would be great to avoid running through >> the Authenticator on OPTIONS, but how? >> I haven't found an option to do that in jetty. >> >> Gregor >> >> Gregor Jarisch >> *Head of Research & Development* >> *Labs.ai Technology GmbH* >> m: +43 699 1 822 74 47 >> w: www.labs.ai e: [email protected] >> >> ------ Original Message ------ >> From: "Joakim Erdfelt" <[email protected]> >> To: "Gregor Jarisch" <[email protected]>; "JETTY user mailing list" < >> [email protected]> >> Sent: 05/10/2019 5:25:19 PM >> Subject: Re: [jetty-users] Basic Authenticator response to OPTIONS >> request with 401 >> >> Perhaps its best to not have OPTIONS covered by Authentication? >> >> The problem is that standard Servlet Authentication is early, super >> early, before any filter or servlet is called early. >> >> Joakim Erdfelt / [email protected] >> >> >> On Fri, May 10, 2019 at 10:20 AM Gregor Jarisch <[email protected]> >> wrote: >> >>> Hi, >>> >>> when using the CORS Filter + Basic Authentication, jetty returns a 401 >>> when a client makes an OPTIONS call. >>> Within the CORS Filter the preflight handling is done correctly, >>> however, it never gets there because jetty returns the 401 before hand. >>> >>> Is there any way to let the CORS Filter handle the request first? >>> >>> My current workaround is overriding the verify method and exclude the >>> setting of 401 if method is OPTIONS. This workaround feels not right >>> though.. >>> >>> Gregor >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://www.eclipse.org/mailman/listinfo/jetty-users >> >> _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
