My app is using ag-sec and the @secure annotation.
When the user has not the role specified by @secure I got an exception, as expected https://gist.github.com/sebastienblanc/6134149
I assume it is because of this https://github.com/aerogear/aerogear-security/blob/master/src/main/java/org/jboss/aerogear/security/interceptor/SecurityInterceptor.java#L71 and perfect works as designed.
And without CORS, the server returns a nice 401 status to the client.
Same scenario I'm hitting a secure role without having the role needed (BTW the OPTIONS preflights are handled without any errors).
I'm getting the same exception from the server but this time no proper 401 answer sent back to the client, and on client side the request is just canceled.
- Reproduce it To repoduce this scenario here are the step :
-
Clone this branch https://github.com/sebastienblanc/aerogear-push-quickstart-backend/tree/cors_tests ,
mvn clean install
,mvn jboss-as:deploy
-
Clone this branch : https://github.com/aerogear/aerogear-push-quickstart-web/tree/AGPUSH-160 and deploy it making sure it's not running on the same port as aerodoc backend (for instance
python -m SimpleHTTPServer
) -
Browse to the simple client (in case you use python webserver it will be
localhost:8000
-
Login With maria/123
-
Refresh the page : you should see the failure on retrieving the
/leads
endpoints.
So, Whan I'm looking for is to have a normal 401 status sent back to the client when using CORS, maybe someone has some ides about this ?