Fix CORS error with expired Access Token

Signed-off-by: Claudio Mezzasalma <claudio.mezzasalma@eurotech.com>
eclipse · Jun 14, 2021 · ceaf360 · ceaf360
1 parent 02610d6
commit ceaf360
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/...ore/src/main/java/org/eclipse/kapua/app/api/core/auth/KapuaTokenAuthenticationFilter.java b/...ore/src/main/java/org/eclipse/kapua/app/api/core/auth/KapuaTokenAuthenticationFilter.java
@@ -75,7 +75,8 @@ protected AuthenticationToken createToken(ServletRequest request, ServletRespons
     protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
         HttpServletResponse httpResponse = WebUtils.toHttp(response);
         httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-        return false;
+        // Continue with the filter chain, because CORS headers are still needed
+        return true;
     }
 
 }
diff --git a/rest-api/core/src/main/java/org/eclipse/kapua/app/api/core/filter/CORSResponseFilter.java b/rest-api/core/src/main/java/org/eclipse/kapua/app/api/core/filter/CORSResponseFilter.java
@@ -113,21 +113,24 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         // For the actual request it will be available and we will check the CORS according to the scope.
         KapuaId scopeId = KapuaSecurityUtils.getSession() != null ? KapuaSecurityUtils.getSession().getScopeId() : null;
 
+        String msg = null;
         if (checkOrigin(origin, scopeId)) {
             // Origin matches at least one defined Endpoint
             httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
             httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
             httpResponse.addHeader("Vary", HttpHeaders.ORIGIN);
         } else {
-            String msg = scopeId != null ?
+            msg = scopeId != null ?
                     String.format("HTTP Origin not allowed: %s for scope: %s", origin, scopeId.toCompactId()) :
                     String.format("HTTP Origin not allowed: %s", origin);
-
             logger.error(msg);
-            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, msg);
+        }
+        int errorCode = httpResponse.getStatus();
+        if (errorCode >= 400) {
+            // if there's an error code at this point, return it and stop the chain
+            httpResponse.sendError(errorCode, msg);
             return;
         }
-
         chain.doFilter(request, response);
     }