Authorization header in Angular 2 using service JAX-RS

1
votes

I am making um application using angular 5 as front-end and java with jersey as back-end. I have problem with the authentication when I try to consume from my front-end angular. This is code of client app angular:

const headers = {
  'Content-Type': 'application/json',
  'Authorization': this.auth.token
};

return this.http.get(this.url, { headers: headers, withCredentials: true })
  .toPromise()
  .then(this.extractData)
  .catch(this.handleErrorPromise);

But looking for request generated I am not find the header 'authorization' in my server. There I receive just:

host:100.0.66.160:8092
connection:keep-alive
pragma:no-cache
cache-control:no-cache
access-control-request-method:GET
origin:http://localhost:4200
user-agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
access-control-request-headers:authorization,content-type
accept:*/*
accept-encoding:gzip, deflate
accept-language:pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7

Then I don't find the "authorization" for validation, someone can say me what is wrong there?

Follow validation code in server-side:

String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
    Autenticador autenticacao = new Autenticador();
    String token;

    extrairHeader(requestContext);

    if (authorizationHeader != null && authorizationHeader.contains("Bearer ")) {
        token = authorizationHeader.substring("Bearer ".length()).trim();
        Key key = new KeyGenerator().generateKey();

        return autenticacao.tokenValido(token, key);
    } else {
        return false;
    }
2
javaangularauthenticationoauthjax-rs

2 Answers

1
votes

This is not the actual request, it's the CORS Preflight. You can tell because of the following headers included in the request:

  • origin
  • access-control-request-method
  • access-control-request-headers

These headers are asking the server if the request is allowed. The server is supposed to respond with response headers accordingly to tell the browser that the request is allowed. If the preflight is OK, then the real request is made.

For full explanation and how you resolve this with a JAX-RS filter, have a look at this post.

1
votes

I don't if this better solution, but worked like this:

I created a new class in the server-side to validate the request:

@Provider
@Priority(Priorities.HEADER_DECORATOR)
@WebFilter(filterName = "AddHeaderFilter", urlPatterns = {"/*"})
public class CORSFilter implements Filter {

@Override
public void destroy() {
    // TODO Auto-generated method stub
}

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) servletRequest;

    HttpServletResponse resp = (HttpServletResponse) servletResponse;
    resp.addHeader("Access-Control-Allow-Origin", "*");
    resp.addHeader("Access-Control-Allow-Methods", "GET,POST");
    resp.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");

    // Just ACCEPT and REPLY OK if OPTIONS
    if (request.getMethod().equals("OPTIONS")) {
        resp.setStatus(HttpServletResponse.SC_OK);
        return;
    }
    chain.doFilter(request, servletResponse);
}

@Override
public void init(FilterConfig arg0) throws ServletException {
}

}

That way worked.