Reputation: 55
How to handle CORS preflight requests in a SiteMinder protected environment?
I'm building an AngularJS application that will interact with RESTful services running on a different host. Since requests are going across origins, CORS is getting into the picture. Since requests specify JSON as expected content type, CORS preflight requests are triggered by the browser. Straightforward so far.
According to W3 spec, CORS preflight requests should exclude user credentials. The RESTful web services application is protected by SiteMinder, which is configured to enforce authentication based on URL. Web services depend on SiteMinder for authentication and handle authorization only. That's why SiteMinder cannot be removed. As a result, CORS preflight requests come back with HTTP 401 Authorization Required. It prevents browser from moving forward with the actual request.
Any ideas about how to enable CORS preflight requests in a SiteMinder protected environment? Thanks a lot in advance!
Upvotes: 4
Views: 3792
Answers (1)
Reputation: 55
You can try to ignore OPTIONS method by setting autoauthorizeoptions = yes in ACO parameters for the agent
++++++++++++++++++++++++++++ Allow Automatic Access to Resources that use the OPTIONS Method The SiteMinder Web Agent still challenges authenticated users who attempt to access resources that use the OPTIONS method. Some examples of resources that use the OPTIONS method include (but are not necessarily limited to) the following:
Microsoft® Word documents Microsoft® Excel® spreadsheet documents This challenge occurs because the application associated with the resource sends a request using the OPTIONS method to the web server. Because this request does not include a SiteMinder cookie, the Web Agent issues a challenge.
To prevent users from being challenged for these resources
Set the value of the following parameter to yes: autoauthorizeoptions Automatically authorizes any requests for resources which use the HTTP OPTIONS method.
If you set the value of this parameter to yes, also set the value of the PersistentCookies parameter to no.
Limits: yes, no
Set the value of the PersistentCookies parameter to no.
++++++++++++++++++++++++
Upvotes: 1
Related Questions
- Handling CORS Preflight in Asp.net Web API
- preflight request in enabled CORS ASP.NET Web API 2 application with windows authentication
- How to solve "CORS policy: Response to preflight request doesn't pass access control check." without adding browser plugin
- Web Api 2 Preflight CORS request for Bearer Token
- Angular 4 + Siteminder HTTP headers issue
- Angular Response to preflight request doesn't pass access control check
- Using CORS to handle reauthentication on another site
- Preflight Access-Control-Allow-Credentials
- Avoiding preflight OPTIONS requests with CORS
- Preflight CORS requests with Basic Authentication in Angular 2