Eclipse Community Forums: Eclipse SmartHome » ESH + Authorisation + OPTIONS method

Home » Archived » Eclipse SmartHome » ESH + Authorisation + OPTIONS method(ESH is trying to authorise requests with HTTP OPTIONS method)

Show: Today's Messages :: Show Polls :: Message Navigator

ESH + Authorisation + OPTIONS method [message #1794760]

Thu, 06 September 2018 07:48

Bartosz Kowalczyk

Messages: 4
Registered: June 2018

Junior Member

Hello Dear ESH Community,

I am trying to run ESH along with authorisation mechanisms. I've launched required bundles such as:

org.eclipse.smarthome.io.rest.auth (0.10.0.qualifier) +
my modification of the JWT authorisation bundle.

My implementation works until a browser sends a request with HTTP OPTIONS method.

ESH should respond with acceptable methods without invoking authorisation mechanisms.

Instead, the authorisation mechanisms are invoked. Since this request is missing the Authorisation header, I am getting the following CORS error as a response:

Access to XMLHttpRequest (...) has been blocked by CORS policy: Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Note that my ESH instance is configured to enable CORS in smarthome.cfg file.

# Uncomment to enable rest api CORS requests
org.eclipse.smarthome.cors:enable=true

Is there any bundle to overcome this problem or should I implement my own CORS handler to catch the OPTIONS HTTP preflights?

If so, where is the right spot to implement it and plug to the rest of the ESH?

Any advices, classes, interfaces names or code snippets are much appreciated.

Report message to a moderator

Re: ESH + Authorisation + OPTIONS method [message #1794765 is a reply to message #1794760]

Thu, 06 September 2018 08:32

Kai Kreuzer

Messages: 673
Registered: December 2011

Senior Member

Hi Bartosz,

Note sure if you are aware that Lukasz is currently completely refactoring the authorisation support in ESH with https://github.com/eclipse/smarthome/pull/6034. I think the issue of OPTIONS requests being handled correctly should best be addressed within that PR - so feel free to test it and comment on it!

Regards,
Kai

Report message to a moderator

Re: ESH + Authorisation + OPTIONS method [message #1794773 is a reply to message #1794765]

Thu, 06 September 2018 10:35

Bartosz Kowalczyk

Messages: 4
Registered: June 2018

Junior Member

I wasn't aware of this ongoing refactoring actions. Can you please provide me with the link to the issue ticket for that implementation? The link you provided does not work for me.

Report message to a moderator

Re: ESH + Authorisation + OPTIONS method [message #1794774 is a reply to message #1794773]

Thu, 06 September 2018 10:45

Kai Kreuzer

Messages: 673
Registered: December 2011

Senior Member

Remove the "." at the end of the link (this forum accidentially adds that).

Report message to a moderator

Re: ESH + Authorisation + OPTIONS method [message #1797176 is a reply to message #1794774]

Fri, 26 October 2018 22:25

Lukasz Dywicki

Messages: 34
Registered: July 2009

Member

Hey, just found the topic and indeed - OPTIONS request will be broken. This is because handleSecurity method does not take into consideration actual HTTP verb. `AuthenticationHandler` have a space for customization via `isSecure` method but it is currently fairly simple and returns just "true" in pretty much all cases.

We can think it through and improve, however in case of REST we have chicken-egg problem. Servlet security provided by OSGi framework which get hit first is in conflict with CORS and other eventual security filters added via REST apis.

@Bartosz - feel free to enter issue on github, that's definitely a bug.

Kind regards,
Lukasz

Report message to a moderator