Eclipse Community Forums: Eclipse SmartHome » ESH + Authorisation + OPTIONS method

Home » Archived » Eclipse SmartHome » ESH + Authorisation + OPTIONS method(ESH is trying to authorise requests with HTTP OPTIONS method)

ESH + Authorisation + OPTIONS method [message #1794760]

Thu, 06 September 2018 03:48

Eclipse User

Hello Dear ESH Community,

I am trying to run ESH along with authorisation mechanisms. I've launched required bundles such as:

org.eclipse.smarthome.io.rest.auth (0.10.0.qualifier) +
my modification of the JWT authorisation bundle.

My implementation works until a browser sends a request with HTTP OPTIONS method.

ESH should respond with acceptable methods without invoking authorisation mechanisms.

Instead, the authorisation mechanisms are invoked. Since this request is missing the Authorisation header, I am getting the following CORS error as a response:

Access to XMLHttpRequest (...) has been blocked by CORS policy: Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Note that my ESH instance is configured to enable CORS in smarthome.cfg file.

# Uncomment to enable rest api CORS requests
org.eclipse.smarthome.cors:enable=true

Is there any bundle to overcome this problem or should I implement my own CORS handler to catch the OPTIONS HTTP preflights?

If so, where is the right spot to implement it and plug to the rest of the ESH?

Any advices, classes, interfaces names or code snippets are much appreciated.

Re: ESH + Authorisation + OPTIONS method [message #1794765 is a reply to message #1794760]

Thu, 06 September 2018 04:32

Eclipse User

Hi Bartosz,

Note sure if you are aware that Lukasz is currently completely refactoring the authorisation support in ESH with https://github.com/eclipse/smarthome/pull/6034. I think the issue of OPTIONS requests being handled correctly should best be addressed within that PR - so feel free to test it and comment on it!

Regards,
Kai

Re: ESH + Authorisation + OPTIONS method [message #1794773 is a reply to message #1794765]

Thu, 06 September 2018 06:35

Eclipse User

I wasn't aware of this ongoing refactoring actions. Can you please provide me with the link to the issue ticket for that implementation? The link you provided does not work for me.

Re: ESH + Authorisation + OPTIONS method [message #1794774 is a reply to message #1794773]

Thu, 06 September 2018 06:45

Eclipse User

Remove the "." at the end of the link (this forum accidentially adds that).

Re: ESH + Authorisation + OPTIONS method [message #1797176 is a reply to message #1794774]

Fri, 26 October 2018 18:25

Eclipse User

Hey, just found the topic and indeed - OPTIONS request will be broken. This is because handleSecurity method does not take into consideration actual HTTP verb. `AuthenticationHandler` have a space for customization via `isSecure` method but it is currently fairly simple and returns just "true" in pretty much all cases.

We can think it through and improve, however in case of REST we have chicken-egg problem. Servlet security provided by OSGi framework which get hit first is in conflict with CORS and other eventual security filters added via REST apis.

@Bartosz - feel free to enter issue on github, that's definitely a bug.

Kind regards,
Lukasz

Re: ESH + Authorisation + OPTIONS method [message #1798331 is a reply to message #1797176]

Thu, 15 November 2018 07:34

Eclipse User

Hi Bartosz,

Does Authentication works for you now ?

Thanks,
Kiran.

Previous Topic:	OSGi test problem: missing constraints
Next Topic:	Compilation failure

Goto Forum:

-=] Back to Top [=-

Current Time: Wed Apr 23 04:28:52 EDT 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter