Securing CORS RestAPI - Githubissues

kakawait / cas-security-spring-boot-starter

Spring boot starter for Apereo CAS client fully integrated with Spring security

MIT License

152 stars 45 forks source link

Securing CORS RestAPI #114

Open lchrennew opened 5 years ago

lchrennew commented 5 years ago

Hi,

I want to securing my APIs which are accessed cross domain, so my expected behavior is(e.g.GET http://my.api/users/me from http://my.web/):

open http://my.web -(fetch API)-> OPTION http://my.api/users/me -> HTTP 200 -> GET /users/me -> HTTP 403 or HTTP 401 -> location.href='http://my.api/login/cas?return_url=http://my.web/' -> http://my.api/login/cas?return_url=http://my.web/ -> HTTP 302 -> cas server

How could I implement this process?

kakawait commented 5 years ago

@lchrennew could you be more precise because I understood that part

OPTION http://my.api/users/me -> HTTP 200 ->
GET /users/me -> HTTP 403 or HTTP 401

but not

->
location.href='http://my.api/login/cas?return_url=http://my.web/' ->
http://my.api/login/cas?return_url=http://my.web/ -> HTTP 302 -> cas server