2
votes

I have a RestEasy based REST API in JBOSS container authenticated with a auth-constraint. when making any call, authorization header is passed with the request. url mapping for the constraint is /*

Now one of the client of this Rest API demands a CORS request. I have developed a web filter that would add necessary headers for pre-flight (i.e. options) request and a normal request as well.

This is working just fine, the headers are being added. But as the RestEasy is secured with url-pattern /*, it is expecting the pre-flight request to be authenticated as well.

Now according to https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request , pre-flight requests are to be unauthenticated.

Additionally i went through https://gist.github.com/tganzarolli/8520728 and created a similar unauthenticated service to handle OPTIONS request with @Path("/{var:.*}") and @PermitAll annotations as I would like to handle all OPTIONS request in one place.

This still doesn't work as auth-constraint associated with RestEasy url-pattern /* kicks in and my unauthenticated service doesn't work, a 401 is still returned.

Is there any better way of doing this? Is it possible to configure security-constraint for above unauthenticated service to solve this issue in given scenario?

1

1 Answers

2
votes

After doing further research, I found that it was indeed auth-constrained RestEasy cover all url pattern /* was causing this issue. I did an override of security-constraint for options with http-method (ref https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html) with url-pattern /*. This solved the problem. I hope this will be useful to others.