Hi Greg,
well, as a developer, when I want my server to have CORS enabled, I want
them to be enabled and communicated back to the client on ANY request.
So, I agree, cors setting should be one of the first things to happen
before security is executed.
How can we accomplish this the best?
Thanks
Gregor
------ Original Message ------
From: "Greg Wilkins" <[email protected]>
To: "Gregor Jarisch" <[email protected]>; "JETTY user mailing list"
<[email protected]>
Cc: "Joakim Erdfelt" <[email protected]>
Sent: 05/14/2019 4:14:41 PM
Subject: Re: [jetty-users] Basic Authenticator response to OPTIONS
request with 401
>According to the spec, if auth fails, the request is not forwarded to
>any filters or servlets.
>So if just excluding OPTIONs from auth does not work (I think it's
>worth trying that), then you (or we) need to move CO logic to before
>filters. Either in a handler or perhaps even a request customiser??
>
>
>
>On Mon, 13 May 2019 at 12:10, Gregor Jarisch <[email protected]>
>wrote:
>>Hi,
>>
>>I am not sure if that will solve my problem entirely. I don't want to
>>disable authentication for any of the methods (this is what the config
>>does, if I understood correctly).
>>Want I need is the CrossOriginFilter to be executed all the time, no
>>matter if authentication has succeeded or not.
>>Without the Cors header added to the response, browser blocks the
>>request all together and thus no prompting the user for credentials.
>>
>>Is there a way on how I can achieve this?
>>
>>Gregor
>>
>>------ Original Message ------
>>From: "Joakim Erdfelt" <[email protected]>
>>To: "Gregor Jarisch" <[email protected]>
>>Cc: "JETTY user mailing list" <[email protected]>
>>Sent: 05/12/2019 5:50:30 PM
>>Subject: Re: Re[2]: [jetty-users] Basic Authenticator response to
>>OPTIONS request with 401
>>
>>>You'll use the <security-constraint> section in your WEB-INF/web.xml,
>>>specifically the <web-resource-collection> and one of (or a
>>>combination of) the two options <http-method> or
>>><http-method-omission>.
>>>
>>>Here's an example from the Jetty webdefault.xml for disabling TRACE,
>>>but enabling everything other http method.
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Disable TRACE</web-resource-name>
>>> <url-pattern>/</url-pattern>
>>> <http-method>TRACE</http-method>
>>> </web-resource-collection>
>>> <auth-constraint/>
>>> </security-constraint>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Enable everything but
>>>TRACE</web-resource-name>
>>> <url-pattern>/</url-pattern>
>>> <http-method-omission>TRACE</http-method-omission>
>>> </web-resource-collection>
>>> </security-constraint>
>>>
>>>Joakim Erdfelt / [email protected]
>>>
>>>
>>>On Sat, May 11, 2019 at 5:23 AM Gregor Jarisch <[email protected]>
>>>wrote:
>>>>Hi Joakim,
>>>>
>>>>yes, I had the same thought, it would be great to avoid running
>>>>through the Authenticator on OPTIONS, but how?
>>>>I haven't found an option to do that in jetty.
>>>>
>>>>Gregor
>>>>
>>>>Gregor Jarisch
>>>>Head of Research & Development
>>>>Labs.ai Technology GmbH
>>>>m: +43 699 1 822 74 47
>>>>w: www.labs.ai e: [email protected]
>>>>
>>>>------ Original Message ------
>>>>From: "Joakim Erdfelt" <[email protected]>
>>>>To: "Gregor Jarisch" <[email protected]>; "JETTY user mailing list"
>>>><[email protected]>
>>>>Sent: 05/10/2019 5:25:19 PM
>>>>Subject: Re: [jetty-users] Basic Authenticator response to OPTIONS
>>>>request with 401
>>>>
>>>>>Perhaps its best to not have OPTIONS covered by Authentication?
>>>>>
>>>>>The problem is that standard Servlet Authentication is early, super
>>>>>early, before any filter or servlet is called early.
>>>>>
>>>>>Joakim Erdfelt / [email protected]
>>>>>
>>>>>
>>>>>On Fri, May 10, 2019 at 10:20 AM Gregor Jarisch
>>>>><[email protected]> wrote:
>>>>>>Hi,
>>>>>>
>>>>>>when using the CORS Filter + Basic Authentication, jetty returns a
>>>>>>401 when a client makes an OPTIONS call.
>>>>>>Within the CORS Filter the preflight handling is done correctly,
>>>>>>however, it never gets there because jetty returns the 401 before
>>>>>>hand.
>>>>>>
>>>>>>Is there any way to let the CORS Filter handle the request first?
>>>>>>
>>>>>>My current workaround is overriding the verify method and exclude
>>>>>>the setting of 401 if method is OPTIONS. This workaround feels not
>>>>>>right though..
>>>>>>
>>>>>>Gregor
>>>>>>_______________________________________________
>>>>>>jetty-users mailing list
>>>>>>[email protected]
>>>>>>To change your delivery options, retrieve your password, or
>>>>>>unsubscribe from this list, visit
>>>>>>https://www.eclipse.org/mailman/listinfo/jetty-users
>>_______________________________________________
>>jetty-users mailing list
>>[email protected]
>>To change your delivery options, retrieve your password, or
>>unsubscribe from this list, visit
>>https://www.eclipse.org/mailman/listinfo/jetty-users
>
>
>--
>Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
