Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling http OPTIONS calls #1

Open
sebastientromp opened this issue Feb 24, 2015 · 3 comments
Open

Handling http OPTIONS calls #1

sebastientromp opened this issue Feb 24, 2015 · 3 comments

Comments

@sebastientromp
Copy link

Hello,

When dealing with Cross-site requests, a first OPTIONS request is sent to the server before the real request.
Namely, when trying to authenticate through a POST to /api/login, first an OPTIONS request is sent, gets intercepted by the StatelessAuthenticationFilter, which then crashes because the request body is empty (no parameters are passed).

I've tried adding an exception to the config:

// allow anonymous POSTs to login
.antMatchers(HttpMethod.POST, "/api/login")
.permitAll()

// allow anonymous OPTIONs
.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll()

// allow anonymous GETs to API

but it doesn't change anything - the filter is still called (I've also tried defining the exception before the POST to /api/login)

Doing a GET directly to /api/login results in the same thing (even when changing the order of the configuration), ie the following test causes a jackson exception in StatelessLoginFilter:

@Test
public void testUserApi_Get_Login() {
    final String result = doAnonymousExchange(HttpMethod.GET, "/api/login");
}

Do you know how I should proceed here?

Thanks!
Sébastien
@stunaz
Copy link

stunaz commented Mar 23, 2015

Your problem must be fixed on the client-side. I have it perfectly working with cross site requests. I dont know why a request with OPTIONS made in your case. Have you added Cross site Filter (I added a filter to make it work, check http://spring.io/guides/gs/rest-service-cors/) ?

@leordev
Copy link

leordev commented Jun 27, 2015

Hey all! I was at the same trouble.
I could not follow the @stunaz statement to fix on the client side. It's a good practice for CORS requests, and I'm using angular, see a good answer here: http://stackoverflow.com/questions/24656488/angularjs-how-to-disable-option-request

But I've solved the problem adding the following line at attemptAuthentication at StatelessLoginFilter:

    if (request.getMethod().equals("OPTIONS")) return null;

I think it's ok because we don't need to authenticate options requests. It doens't retrieves any business data and so on.

If there's a better solution, please let me know.

@sebastientromp
Copy link
Author

That's actually what I've done too

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;

    if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
        chain.doFilter(request, res);
        return;
    }
    super.doFilter(req, res, chain);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stunaz @leordev @sebastientromp