ESH + Authorisation + OPTIONS method [message #1794760] |
Thu, 06 September 2018 07:48  |
Eclipse User |
|
|
|
Hello Dear ESH Community,
I am trying to run ESH along with authorisation mechanisms. I've launched required bundles such as:
org.eclipse.smarthome.io.rest.auth (0.10.0.qualifier) +
my modification of the JWT authorisation bundle.
My implementation works until a browser sends a request with HTTP OPTIONS method.
ESH should respond with acceptable methods without invoking authorisation mechanisms.
Instead, the authorisation mechanisms are invoked. Since this request is missing the Authorisation header, I am getting the following CORS error as a response:
Access to XMLHttpRequest (...) has been blocked by CORS policy: Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.
Note that my ESH instance is configured to enable CORS in smarthome.cfg file.
# Uncomment to enable rest api CORS requests
org.eclipse.smarthome.cors:enable=true
Is there any bundle to overcome this problem or should I implement my own CORS handler to catch the OPTIONS HTTP preflights?
If so, where is the right spot to implement it and plug to the rest of the ESH?
Any advices, classes, interfaces names or code snippets are much appreciated.
|
|
|
|
|
|
Re: ESH + Authorisation + OPTIONS method [message #1797176 is a reply to message #1794774] |
Fri, 26 October 2018 22:25   |
Eclipse User |
|
|
|
Hey, just found the topic and indeed - OPTIONS request will be broken. This is because handleSecurity method does not take into consideration actual HTTP verb. `AuthenticationHandler` have a space for customization via `isSecure` method but it is currently fairly simple and returns just "true" in pretty much all cases.
We can think it through and improve, however in case of REST we have chicken-egg problem. Servlet security provided by OSGi framework which get hit first is in conflict with CORS and other eventual security filters added via REST apis.
@Bartosz - feel free to enter issue on github, that's definitely a bug.
Kind regards,
Lukasz
|
|
|
|
Powered by
FUDForum. Page generated in 0.04063 seconds