[web2py] Re: Issue 1961; redirect, response.headers and CAS

Wed, 13 Aug 2014 02:52:26 -0700 

Thanks Massimo, 

Well, with CORS it depends. I used these to get CORS working with at IE11 
and Chrome (latest)

    response.headers['Access-Control-Allow-Origin'] 
    response.headers['Access-Control-Allow-Methods'] 
    response.headers['Access-Control-Allow-Headers'] 

Maybe something more dynamic like 
    auth.cas_allowed_headers_on_redirect = ['Acces-Co...',...]

though it would require more tuning and more work and less out of the box 
functionality. 

For what i have seen it needs these headers on every contact with the 
requesting browser, since the entire process is done using ajax that means 
all redirects would probably apply. And if not, probably you'll want to 
setup a structure to allow CORS on those redirects anyway. 
If you really need to know which redirects are used in my situation (i 
don't use the form based authentication obviously, so that might save me a 
few redirects) i can debug the lot and see what i can come up with. 

With kind regards. 

Op woensdag 13 augustus 2014 07:29:43 UTC+2 schreef Massimo Di Pierro:
>
> Looking into this but I need your help. We cannot preserve all the headers 
> because some of them may contain sensitive information that should not be 
> sent cross domain (for example session cookies). So the question is, which 
> headers should be preserved by which redirects:
>
> There are two redirects in gluon/contrib/login_methods/cas_auth.py
>
> There are two redirects in gluon/tools.py in Auth allow_access.
>
> Do you know which ones need the headers? Which headers?
>
> On Tuesday, 12 August 2014 03:05:27 UTC-5, Remco Boerma wrote:
>>
>> Thanks Massimo, 
>>
>> Concerning https://code.google.com/p/web2py/issues/detail?id=1961&can=1 
>>
>> The CAS structure uses redirect() internally. Can you update the call in the 
>> CAS code to send the request.headers? That's why i proposed a change on all 
>> redirect calls. This allows the CAS to be CORS compliant if the user 
>> provides the proper headers on the controller level 
>>
>> With kind regards. 
>>
>> Remco
>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to