Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Archived » Eclipse SmartHome » ESH + Authorisation + OPTIONS method(ESH is trying to authorise requests with HTTP OPTIONS method)
ESH + Authorisation + OPTIONS method [message #1794760] Thu, 06 September 2018 07:48 Go to next message
Bartosz Kowalczyk is currently offline Bartosz KowalczykFriend
Messages: 4
Registered: June 2018
Junior Member
Hello Dear ESH Community,

I am trying to run ESH along with authorisation mechanisms. I've launched required bundles such as:

org.eclipse.smarthome.io.rest.auth (0.10.0.qualifier) +
my modification of the JWT authorisation bundle.


My implementation works until a browser sends a request with HTTP OPTIONS method.

ESH should respond with acceptable methods without invoking authorisation mechanisms.

Instead, the authorisation mechanisms are invoked. Since this request is missing the Authorisation header, I am getting the following CORS error as a response:
Access to XMLHttpRequest (...) has been blocked by CORS policy: Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.


Note that my ESH instance is configured to enable CORS in smarthome.cfg file.
# Uncomment to enable rest api CORS requests
org.eclipse.smarthome.cors:enable=true


Is there any bundle to overcome this problem or should I implement my own CORS handler to catch the OPTIONS HTTP preflights?

If so, where is the right spot to implement it and plug to the rest of the ESH?

Any advices, classes, interfaces names or code snippets are much appreciated.
Re: ESH + Authorisation + OPTIONS method [message #1794765 is a reply to message #1794760] Thu, 06 September 2018 08:32 Go to previous messageGo to next message
Kai Kreuzer is currently offline Kai KreuzerFriend
Messages: 673
Registered: December 2011
Senior Member
Hi Bartosz,

Note sure if you are aware that Lukasz is currently completely refactoring the authorisation support in ESH with https://github.com/eclipse/smarthome/pull/6034. I think the issue of OPTIONS requests being handled correctly should best be addressed within that PR - so feel free to test it and comment on it!

Regards,
Kai
Re: ESH + Authorisation + OPTIONS method [message #1794773 is a reply to message #1794765] Thu, 06 September 2018 10:35 Go to previous messageGo to next message
Bartosz Kowalczyk is currently offline Bartosz KowalczykFriend
Messages: 4
Registered: June 2018
Junior Member
I wasn't aware of this ongoing refactoring actions. Can you please provide me with the link to the issue ticket for that implementation? The link you provided does not work for me.
Re: ESH + Authorisation + OPTIONS method [message #1794774 is a reply to message #1794773] Thu, 06 September 2018 10:45 Go to previous messageGo to next message
Kai Kreuzer is currently offline Kai KreuzerFriend
Messages: 673
Registered: December 2011
Senior Member
Remove the "." at the end of the link (this forum accidentially adds that).
Re: ESH + Authorisation + OPTIONS method [message #1797176 is a reply to message #1794774] Fri, 26 October 2018 22:25 Go to previous messageGo to next message
Lukasz Dywicki is currently offline Lukasz DywickiFriend
Messages: 34
Registered: July 2009
Member
Hey, just found the topic and indeed - OPTIONS request will be broken. This is because handleSecurity method does not take into consideration actual HTTP verb. `AuthenticationHandler` have a space for customization via `isSecure` method but it is currently fairly simple and returns just "true" in pretty much all cases.

We can think it through and improve, however in case of REST we have chicken-egg problem. Servlet security provided by OSGi framework which get hit first is in conflict with CORS and other eventual security filters added via REST apis.

@Bartosz - feel free to enter issue on github, that's definitely a bug.

Kind regards,
Lukasz
Re: ESH + Authorisation + OPTIONS method [message #1798331 is a reply to message #1797176] Thu, 15 November 2018 12:34 Go to previous message
Kiran Patil is currently offline Kiran PatilFriend
Messages: 27
Registered: October 2015
Junior Member
Hi Bartosz,

Does Authentication works for you now ?

Thanks,
Kiran.
Previous Topic:OSGi test problem: missing constraints
Next Topic:Compilation failure
Goto Forum:
  


Current Time: Fri Dec 06 08:14:25 GMT 2024

Powered by FUDForum. Page generated in 0.03233 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top