shiro icon indicating copy to clipboard operation
shiro copied to clipboard

Published 20 hours ago verified publisher icon apache

Add preflight support to HttpAuthenticationFilter

Open jepsar opened this issue 1 year ago • 5 comments

It would be nice if there was native (optional) support to always grant access to preflight requests.

https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

In our JAX RS project, we added this to our filter:

  @Override
  protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
    if (isPreflightRequest(request)) {
      return true;
    }
    return super.isAccessAllowed(request, response, mappedValue);
  }

  protected boolean isPreflightRequest(ServletRequest request) {
    HttpServletRequest httpRequest = WebUtils.toHttp(request);
    return httpRequest.getHeader("Origin") != null && httpRequest.getMethod().equals("OPTIONS");
  }

jepsar avatar Jun 23 '23 14:06 jepsar

Contributions are welcome :) Thank you

lprimak avatar Jul 03 '23 16:07 lprimak

Let me see what I can do.

jepsar avatar Jul 03 '23 17:07 jepsar

@jepsar any update please?

lprimak avatar Oct 03 '23 22:10 lprimak

I currently have some backlog of PrimeFaces work. Not sure when I can have a look at this issue.

jepsar avatar Oct 05 '23 12:10 jepsar

@jepsar Be careful: not all OPTIONS request including an Origin header are preflight requests. To be sure that you're dealing with a preflight request, you should check that the request also includes an Access-Control-Request-Method. More details in https://fetch.spec.whatwg.org/#cors-preflight-request

jub0bs avatar Oct 26 '23 18:10 jub0bs