Any further thoughts here?
Certainly this is a problem that should be fixed.
Options:
*) you guys fix it. should I open a issue for it?
*) I fix it on my side only. What is the best approach to do that?
Thanks
Gregor
------ Original Message ------
From: "Gregor Jarisch" <[email protected]>
To: "Greg Wilkins" <[email protected]>; "JETTY user mailing list"
<[email protected]>
Cc: "Joakim Erdfelt" <[email protected]>
Sent: 05/15/2019 11:49:04 AM
Subject: Re[2]: [jetty-users] Basic Authenticator response to OPTIONS
request with 401
>Hi Greg,
>
>well, as a developer, when I want my server to have CORS enabled, I
>want them to be enabled and communicated back to the client on ANY
>request.
>So, I agree, cors setting should be one of the first things to happen
>before security is executed.
>
>How can we accomplish this the best?
>
>Thanks
>Gregor
>
>------ Original Message ------
>From: "Greg Wilkins" <[email protected]>
>To: "Gregor Jarisch" <[email protected]>; "JETTY user mailing list"
><[email protected]>
>Cc: "Joakim Erdfelt" <[email protected]>
>Sent: 05/14/2019 4:14:41 PM
>Subject: Re: [jetty-users] Basic Authenticator response to OPTIONS
>request with 401
>
>>According to the spec, if auth fails, the request is not forwarded to
>>any filters or servlets.
>>So if just excluding OPTIONs from auth does not work (I think it's
>>worth trying that), then you (or we) need to move CO logic to before
>>filters. Either in a handler or perhaps even a request customiser??
>>
>>
>>
>>On Mon, 13 May 2019 at 12:10, Gregor Jarisch <[email protected]>
>>wrote:
>>>Hi,
>>>
>>>I am not sure if that will solve my problem entirely. I don't want to
>>>disable authentication for any of the methods (this is what the
>>>config does, if I understood correctly).
>>>Want I need is the CrossOriginFilter to be executed all the time, no
>>>matter if authentication has succeeded or not.
>>>Without the Cors header added to the response, browser blocks the
>>>request all together and thus no prompting the user for credentials.
>>>
>>>Is there a way on how I can achieve this?
>>>
>>>Gregor
>>>
>>>------ Original Message ------
>>>From: "Joakim Erdfelt" <[email protected]>
>>>To: "Gregor Jarisch" <[email protected]>
>>>Cc: "JETTY user mailing list" <[email protected]>
>>>Sent: 05/12/2019 5:50:30 PM
>>>Subject: Re: Re[2]: [jetty-users] Basic Authenticator response to
>>>OPTIONS request with 401
>>>
>>>>You'll use the <security-constraint> section in your
>>>>WEB-INF/web.xml, specifically the <web-resource-collection> and one
>>>>of (or a combination of) the two options <http-method> or
>>>><http-method-omission>.
>>>>
>>>>Here's an example from the Jetty webdefault.xml for disabling TRACE,
>>>>but enabling everything other http method.
>>>>
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>Disable TRACE</web-resource-name>
>>>> <url-pattern>/</url-pattern>
>>>> <http-method>TRACE</http-method>
>>>> </web-resource-collection>
>>>> <auth-constraint/>
>>>> </security-constraint>
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>Enable everything but
>>>>TRACE</web-resource-name>
>>>> <url-pattern>/</url-pattern>
>>>> <http-method-omission>TRACE</http-method-omission>
>>>> </web-resource-collection>
>>>> </security-constraint>
>>>>
>>>>Joakim Erdfelt / [email protected]
>>>>
>>>>
>>>>On Sat, May 11, 2019 at 5:23 AM Gregor Jarisch <[email protected]>
>>>>wrote:
>>>>>Hi Joakim,
>>>>>
>>>>>yes, I had the same thought, it would be great to avoid running
>>>>>through the Authenticator on OPTIONS, but how?
>>>>>I haven't found an option to do that in jetty.
>>>>>
>>>>>Gregor
>>>>>
>>>>>Gregor Jarisch
>>>>>Head of Research & Development
>>>>>Labs.ai Technology GmbH
>>>>>m: +43 699 1 822 74 47
>>>>>w: www.labs.ai e: [email protected]
>>>>>
>>>>>------ Original Message ------
>>>>>From: "Joakim Erdfelt" <[email protected]>
>>>>>To: "Gregor Jarisch" <[email protected]>; "JETTY user mailing
>>>>>list" <[email protected]>
>>>>>Sent: 05/10/2019 5:25:19 PM
>>>>>Subject: Re: [jetty-users] Basic Authenticator response to OPTIONS
>>>>>request with 401
>>>>>
>>>>>>Perhaps its best to not have OPTIONS covered by Authentication?
>>>>>>
>>>>>>The problem is that standard Servlet Authentication is early,
>>>>>>super early, before any filter or servlet is called early.
>>>>>>
>>>>>>Joakim Erdfelt / [email protected]
>>>>>>
>>>>>>
>>>>>>On Fri, May 10, 2019 at 10:20 AM Gregor Jarisch
>>>>>><[email protected]> wrote:
>>>>>>>Hi,
>>>>>>>
>>>>>>>when using the CORS Filter + Basic Authentication, jetty returns
>>>>>>>a 401 when a client makes an OPTIONS call.
>>>>>>>Within the CORS Filter the preflight handling is done correctly,
>>>>>>>however, it never gets there because jetty returns the 401 before
>>>>>>>hand.
>>>>>>>
>>>>>>>Is there any way to let the CORS Filter handle the request first?
>>>>>>>
>>>>>>>My current workaround is overriding the verify method and exclude
>>>>>>>the setting of 401 if method is OPTIONS. This workaround feels
>>>>>>>not right though..
>>>>>>>
>>>>>>>Gregor
>>>>>>>_______________________________________________
>>>>>>>jetty-users mailing list
>>>>>>>[email protected]
>>>>>>>To change your delivery options, retrieve your password, or
>>>>>>>unsubscribe from this list, visit
>>>>>>>https://www.eclipse.org/mailman/listinfo/jetty-users
>>>_______________________________________________
>>>jetty-users mailing list
>>>[email protected]
>>>To change your delivery options, retrieve your password, or
>>>unsubscribe from this list, visit
>>>https://www.eclipse.org/mailman/listinfo/jetty-users
>>
>>
>>--
>>Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
