[AAA-213] Remove CORS filter from shiro-impl Created: 18/May/21 Updated: 06/Jul/22 Resolved: 06/Jul/22 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | 0.16.0 |
| Type: | Improvement | Priority: | Medium |
| Reporter: | Robert Varga | Assignee: | Robert Varga |
| Resolution: | Done | Votes: | 0 |
| Labels: | pt | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
shiro-impl's WebContextSecurer currently performs two tasks: it adds the authentication layer, but it also adds CORS control headers, which defeat browsers' engine sensitivity. The CORS policy needs to be separate from authentication and needs to be cross-cutting. Separate the CORS filter into its own component and integrate it via OSGi HTTP Whiteboard, so that it gets applied irrespective of WebContextSecurer invocation. This component should be an experimental feature, which is not installed by default. |
| Comments |
| Comment by Robert Varga [ 06/Jul/22 ] |
|
Actually, let's just remove the CORS filter and reinstanstate it if someone needs it. |
| Comment by Robert Varga [ 06/Jul/22 ] |
|
If there is an actual need for it going forward, we will need to include a proper component which can be configured. As an example, the old CORS filter did not handle PATCH requests, which brings to the light the need to interact with actual downstreams (like RESTCONF PATCH requests). |