You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In a cross domain scenario all browsers do a CORS preflight request to check permissions of the requested web site. VRS basically does handle CORS when CORS support is activated in Tools/Options/Website. But if both CORS support and user authentication is enabled I got an CORS error reported and the browser refuses to work with the data received.
What I could investigate so far:
Browsers always send CORS preflight requests without authentication in order to keep the credentials secure.
In VRS, the standard pipeline build for websites puts the authentication filter before the CORS handler.
As a result, VRS web server answers the preflight request with Error 403 (not authenticated), stops the pipeline and we are done.
I am not very familiar with VRS architecture but a solution might be to skip authentication filter in case of CORS preflight requests.
Furthermore, browsers need a "Access-Control-Allow-Credentials" header set to TRUE on CORS GET repsonses to pass the last browser check.
I could manage to compile a working VRS web server from the current source tree by modifying the following two procedures:
in BasicAuthenticationFilter.cs
_/// <summary>
/// Returns true if the request is authenticated, false otherwise. If the request has not been
/// authenticated then pipeline processing should be stopped.
/// </summary>
/// <param name="environment"></param>
/// <returns></returns>
private bool Authenticated(IDictionary<string, object> environment)
{
var result = true;
var sharedConfig = _SharedConfiguration.Get();
var context = OwinContext.Create(environment);
// skip authentication check in case of CORS preflight request (OPTIONS)
if (context.RequestHttpMethod != HttpMethod.Options)
{
// proceed with basic authentication check
var isAdminOnlyPath = _AuthenticationConfiguration.IsAdministratorPath(context.RequestPathNormalised);
var isGlobalAuthenticationEnabled = sharedConfig.WebServerSettings.AuthenticationScheme == AuthenticationSchemes.Basic;
if (isAdminOnlyPath || isGlobalAuthenticationEnabled)
{
result = false;
string userName = null;
string password = null;
if (ExtractCredentials(context, ref userName, ref password))
{
var cachedUser = _BasicAuthentication.GetCachedUser(userName);
var cachedUserTag = _BasicAuthentication.GetCachedUserTag(cachedUser);
var isPasswordValid = _BasicAuthentication.IsPasswordValid(cachedUser, cachedUserTag, password);
result = isPasswordValid && (!isAdminOnlyPath || cachedUser.IsAdministrator);
if (result)
{
context.RequestPrincipal = _BasicAuthentication.CreatePrincipal(cachedUser, cachedUserTag);
}
}
if (!result)
{
SendNeedsAuthenticationResponse(context);
}
}
}
return result;
}_
In CorsHandler.cs
__/// <summary>
/// Adds Allow-Origin headers to simple requests that match the origin.
/// </summary>
/// <param name="context"></param>
/// <param name="origin"></param>
private void HandleSimpleRequest(OwinContext context, string origin)
{
if(OriginIsAllowed(origin)) {
context.ResponseHeadersDictionary["Access-Control-Allow-Origin"] = origin;
}
// add access control header to pass CORS check of browsers
var sharedConfig = _SharedConfiguration.Get();
if (sharedConfig.WebServerSettings.AuthenticationScheme == AuthenticationSchemes.Basic)
{
context.ResponseHeadersDictionary["Access-Control-Allow-Credentials"] = "true";
}
}__
I kindly ask the maintainers to verify this and to push approbiate code changes to the repository.
Thank you in advance!
The text was updated successfully, but these errors were encountered:
In a cross domain scenario all browsers do a CORS preflight request to check permissions of the requested web site. VRS basically does handle CORS when CORS support is activated in Tools/Options/Website. But if both CORS support and user authentication is enabled I got an CORS error reported and the browser refuses to work with the data received.
What I could investigate so far:
Browsers always send CORS preflight requests without authentication in order to keep the credentials secure.
In VRS, the standard pipeline build for websites puts the authentication filter before the CORS handler.
As a result, VRS web server answers the preflight request with Error 403 (not authenticated), stops the pipeline and we are done.
I am not very familiar with VRS architecture but a solution might be to skip authentication filter in case of CORS preflight requests.
Furthermore, browsers need a "Access-Control-Allow-Credentials" header set to TRUE on CORS GET repsonses to pass the last browser check.
I could manage to compile a working VRS web server from the current source tree by modifying the following two procedures:
in BasicAuthenticationFilter.cs
In CorsHandler.cs
I kindly ask the maintainers to verify this and to push approbiate code changes to the repository.
Thank you in advance!
The text was updated successfully, but these errors were encountered: