Handling http OPTIONS calls

[sebastientromp]

Hello,

When dealing with Cross-site requests, a first OPTIONS request is sent to the server before the real request.
Namely, when trying to authenticate through a POST to /api/login, first an OPTIONS request is sent, gets intercepted by the StatelessAuthenticationFilter, which then crashes because the request body is empty (no parameters are passed).

I've tried adding an exception to the config:

// allow anonymous POSTs to login
.antMatchers(HttpMethod.POST, "/api/login")
.permitAll()

// allow anonymous OPTIONs
.antMatchers(HttpMethod.OPTIONS, "/**")
.permitAll()

// allow anonymous GETs to API

but it doesn't change anything - the filter is still called (I've also tried defining the exception before the POST to /api/login)

Doing a GET directly to /api/login results in the same thing (even when changing the order of the configuration), ie the following test causes a jackson exception in StatelessLoginFilter:

@Test
public void testUserApi_Get_Login() {
    final String result = doAnonymousExchange(HttpMethod.GET, "/api/login");
}

Do you know how I should proceed here?

Thanks!
Sébastien

[stunaz]

Your problem must be fixed on the client-side. I have it perfectly working with cross site requests. I dont know why a request with OPTIONS made in your case. Have you added Cross site Filter (I added a filter to make it work, check http://spring.io/guides/gs/rest-service-cors/) ?

[leordev]

Hey all! I was at the same trouble.
I could not follow the @stunaz statement to fix on the client side. It's a good practice for CORS requests, and I'm using angular, see a good answer here: http://stackoverflow.com/questions/24656488/angularjs-how-to-disable-option-request

But I've solved the problem adding the following line at attemptAuthentication at StatelessLoginFilter:

    if (request.getMethod().equals("OPTIONS")) return null;

I think it's ok because we don't need to authenticate options requests. It doens't retrieves any business data and so on.

If there's a better solution, please let me know.

[sebastientromp]

That's actually what I've done too

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;

    if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
        chain.doFilter(request, res);
        return;
    }
    super.doFilter(req, res, chain);
}