Support CORS-preflight request in NegotiateSecurityFilter #627
Comments
pedroneil
changed the title
pedroneil
changed the title
hazendaz
pushed a commit
that referenced
this issue
Jun 30, 2018
* Add a CorsPreflightAwareNegotiateSecurityFilter that extends the NegotiateSecurityFilter * Update CorsPreFlightAwareNegotiateSecurityFilter.java * move preflight check to CorsPreFlightHelper to support Testing * create cors aware filter removing the need for the excludeCorsPreFlight and excludeBearerAuthorization configuration parameters * create cors aware filter removing the need for the excludeCorsPreFlight and excludeBearerAuthorization configuration parameters * Add the missing Tests for CORS Aware Security Filter * Add the missing Tests for CORS Aware Security Filter * Add a test for each header missing * JDK1.8 u127 build * JDK1.8 u127 build * add some logs for NegotiateSecurityFilter * changed init-param name to be consistent with code excludeBearerAuthorization * changed init-param name to be consistent with code excludeBearerAuthorization * rename tests and document 2 new parameters for NegotiateSecurityFilter * Completed documenting parameters excludeCorsPreflight and excludeBearerAuthorization * Use init-param for excludeCorsPreflight before checking for preflight headers * Correct log statements in the waffle.util.CorsPreflightCheck * updated CHANGELOG for PR 631 and added link to issue #627 * updated CHANGELOG for PR 631 and added link to issue #627 * added FAQ for using Tomcat SingleSignOnValve and NegotiateSecurityFilter * added FAQ for using Tomcat SingleSignOnValve and NegotiateSecurityFilter * added a link under troubleshooting stories * added net affect summary * use mockito-core.version properties @ version 2.19.0
|
@pedroneil If we are all good here, can you close this issue? |
|
issue closed as this will be addressed in the release of Waffle 1.9.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The fetch API defines Cross Origin Resource Sharing (CORS) and How CORS can be tested to be supported by a Resource Server -
Section 3.2.2 of the CORS highlights a CORS-preflight which is a simple request and is not a request for protected data - It would be great if Negotiate Security Filter could support a CORS preflight request which does not include any Credentials. https://fetch.spec.whatwg.org/#methods
... extract for ease
3.2.2. HTTP requests
A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses
OPTIONSas method and includes these headers:Access-Control-Request-MethodIndicates which method a future CORS request to the same resource might use.
Access-Control-Request-HeadersIndicates which headers a future CORS request to the same resource might use.
It is possible to leave OPTIONS uncovered with Container Security Constraint by setting using the hptt-method-omission, howerver, this is more Coarse Grained and it would be good to test for all 3 requests to check that the OPTIONS request is infact a CORS-preflight; this is because WebDAV uses OPTIONS differently to CORS
Container Security Constraint.
OPTIONS
Suggestion for at least NegotiateSecurityFilter would be to include a supportCORSpreflightRequest
supportCORSpreflightRequest
The text was updated successfully, but these errors were encountered: