current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

for some time I'm playing around RESTeasy and angularjs $http calls. Idea is to have Web Api that angular web app uses as it's backend, but those calls I'd like to have secured with at least HTTP Basic Authentication only for website, because there won't be any user accounts and so on. What i've managed to do so far is that REST Service works with authentication ("Authorization":"Basic user_pass_Base64_hash" header) when calling it from Poster add-on in mozilla. But problems arrive when I try to connect via angularjs $http. Here is a code of angular call:

$http({
        url:'http://serverurl/rest/anouncements/announce/1',
        method: 'GET',
        headers: {'Authorization':'Basic someBase64Hash'}

        })

        .success(function(data){

            // do something with data

        }) ;

Via Servlet filter I modify response by adding those headers:

response.addHeader("Access-Control-Allow-Origin", "*");
response.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Content-Length");

and checking if user:password decoded from hash exists in database.

I don't really know what else can I do make it work, I already tried many things I've read about in other posts or in docs. Could please anyone help? Resteasy version is 2.2.3 and angular 1.2.10.

Thanks, Michal

share|improve this question
    
what error? 401? does it fail on OPTIONS or GET –  wayne Mar 20 at 16:41
    
In chrome javascript console/AngularJS I got:XMLHttpRequest cannot load server.url/rest/anouncements/announce/1 No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'server.url'; is therefore not allowed access where 'server.url' is my rest app url –  user3281299 Mar 20 at 16:47
    
In firebug is 401 on OPTIONS –  user3281299 Mar 20 at 16:50
    
But when I run Chrome with --disable-web-security parameter it works –  user3281299 Mar 20 at 16:53
    
I don't know about RESTeasy/Servlet/JBoss setup. If I use apache/nginx, I have to turn on Access-Control-Allow-Methods/Access-Control-Allow-Origin at apache/nginx configuration. The request is never getting through to your servlet code, it is block by the server. –  wayne Mar 20 at 16:58

1 Answer 1

up vote 0 down vote

Ok, after some struggle I figured out what the heck was going on ;)

Maybe my experience with this, will help someone.

As I mentioned before, I'm using a class extending javax.servlet.Filter to control response headers. In doFilter(..) method I'm checking wheter request method is OPTIONS or not. If so, then I add those headers:

((HttpServletResponse) response).addHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
((HttpServletResponse) response).addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");

But if not, I do my authorization stuff (parsing base64 string, checking in db for passed credentials) and if ok, setting Content-Type header accordingly to what i expect to get in response from server in my angular code:

((HttpServletResponse) response).addHeader("Content-Type", "application/json");

and pass request and response objects to doFilter method in javax.servlet.Filter superclass:

chain.doFilter(request, response);

Though, I DO NOT filter OPTIONS request.

Of course if my check for credentials in DB fails, I send 403 from response.

In angular I do only simple 

$http.get('someUrl').then(function(response){
 // do something with promise
});

adding to every request my base64 hash in 'Authorization' header:

$http.defaults.headers.common.Authorization = 'Basic a3J6YXE0OmtyemFxNjY2' ;

In both cases, either request method is OPTIONS or not, I add this header to response:

response.addHeader("Access-Control-Allow-Origin", "*");

of course, nothing can stop you from specifying directly what origin you allow to make business with :)

I hope that will help someone and of course any comments and suggestions appreciated!

Cheers, Michal!

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.