0

I have a Java Backend (with Jersey) and an Angular Client (on a different Host), which accesses the api provides by Jersey.

Without authentication everything works great (I have a CORS filter included).

Now when I add basic auth to web.xml on Java Backend, the problems start.

Sample:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Sample</web-resource-name>
            <url-pattern>/manager-api/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>manager</role-name>
        </auth-constraint>
        <!--<user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>  -->
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

I tried to set the Basis Authentication header on every AngularJS $http call. But the problem is, that this header isnt attached to the OPTIONS call, which is made first.

HTTP Sample:

App.config(['$httpProvider', function($httpProvider) {
    $httpProvider.defaults.headers.common['Authorization'] = 'Basic ' + authdata;
}]);

Do you have any idea how I can get arround this? Is there a way to add the header to the options call? Or is it possible to allow OPTIONS calls without allowing GET and POST calls?

Any help is highly appreciated.

Greets Marc

Improve this question
2

1 Answer 1

Reset to default
0

I don't see authdata defined anywhere there. Therefore, you're sending the header: Authorization: Basic unless you haven't included all of the relevant code.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hi Jeff. authdata is set correctly by using Base64 to encode user and password. The problem is, that the header isnt send with the OPTIONS call. Therefore the authentication cant happen. Any idea why the header is not attached to OPTIONS call?
If you're trying to make auth work on the OPTIONS call, it won't happen--CORS doesn't work like that. You need to make the OPTIONS call accessible without authentication.
Hi Jeff. Okay, that might be the problem. But how can I achieve this? Currently I have secured the whole servlet in web.xml with the security constraint posted above. Is there another way how I can secure only specific resources (GET, POST, DELETE)? Because with the security constraint as it is now, the OPTIONS calls are also protected.
I'm not sure in terms of Tomcat. I haven't used it before.
I solved the problem. Its working now. I had to add the methods to security constraint within web.xml. THanks a lot, Jeff :-)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.