search

wso2 / api-manager

All issues, tasks, improvements and new features of WSO2 API Manager
Apache License 2.0
34 stars 8 forks source link

APIs Fail when CORS is disabled globally. #309

Closed jayasithu closed 2 years ago

jayasithu commented 2 years ago

Description

When we set the enable = false in the deployment toml file under [apim.cors] and disable CORS globally we can observe The following error when invoking APIs. 

[2022-06-30 12:06:48,602] ERROR - APIKeyValidator Could not find matching resource for /menu
[2022-06-30 12:06:48,602] ERROR - APIKeyValidator Could not find matching resource for request
org.wso2.carbon.apimgt.gateway.handlers.security.ResourceNotFoundException: Could not find matching resource for /menu
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb_aroundBody30(APIKeyValidator.java:410) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:315) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme_aroundBody28(APIKeyValidator.java:289) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:285) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:275) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:111) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:522) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:516) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:402) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:353) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.apache.synapse.api.API.process(API.java:403) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:107) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:127) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:59) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:344) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v80.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:376) ~[synapse-nhttp-transport_2.1.7.wso2v271.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:190) ~[synapse-nhttp-transport_2.1.7.wso2v271.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) ~[axis2_1.6.1.wso2v80.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_312]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_312]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]

As per our observations, the issue occurs due to engaging the APIAuthenticationHandler handler before the CORS request handler in the API invocation flow as we have disabled CORS globally and the CORS handler is removed from all the APIs. We checked the API artifact by using the gateway REST API[1] and we were able to see that the following handler is missing,

<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
            <property name="apiImplementationType" value="ENDPOINT"/>
            <property name="AuthorizationHeader" value="Authorization"/>
</handler>

and the is present. According to the correct API invocation flow, the CORS handler should be present before the APIAuthenticationHandler but when we disable the CORS globally the CORS Handler gets removed from all the APIs and it causes this error.

Steps to Reproduce

  1. Get API Manager 4.1.0 pack
  2. Disable CORS by adding the following under the [apim.cors] in the deployment.toml
[apim.cors]
enable = false
allow_origins = "*"
allow_methods = ["GET","PUT","POST","DELETE","PATCH","OPTIONS"]
allow_headers = ["authorization","Access-Control-Allow-Origin","Content-Type","SOAPAction","apikey","Internal-Key"]
allow_credentials = false
  1. Start the server and deploy a sample API.
  2. Invoke the API via devportal/curl command.
  3. We were able to see the following error in the wso2carbon.log which is the same error that the customer is observing
[2022-06-30 12:06:48,602] ERROR - APIKeyValidator Could not find matching resource for /menu
[2022-06-30 12:06:48,602] ERROR - APIKeyValidator Could not find matching resource for request
org.wso2.carbon.apimgt.gateway.handlers.security.ResourceNotFoundException: Could not find matching resource for /menu
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb_aroundBody30(APIKeyValidator.java:410) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.findMatchingVerb(APIKeyValidator.java:315) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme_aroundBody28(APIKeyValidator.java:289) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getResourceAuthenticationScheme(APIKeyValidator.java:285) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate_aroundBody4(OAuthAuthenticator.java:275) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:111) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate_aroundBody56(APIAuthenticationHandler.java:522) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.isAuthenticate(APIAuthenticationHandler.java:516) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest_aroundBody46(APIAuthenticationHandler.java:402) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:353) ~[org.wso2.carbon.apimgt.gateway_9.20.74.jar:?]
at org.apache.synapse.api.API.process(API.java:403) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.AbstractApiHandler.apiProcessNonDefaultStrategy(AbstractApiHandler.java:107) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.AbstractApiHandler.identifyAPI(AbstractApiHandler.java:127) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.AbstractApiHandler.dispatchToAPI(AbstractApiHandler.java:59) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.rest.RestRequestHandler.dispatchToAPI(RestRequestHandler.java:90) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.api.rest.RestRequestHandler.process(RestRequestHandler.java:76) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:54) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:344) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:101) ~[synapse-core_2.1.7.wso2v271.jar:2.1.7-wso2v271]
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) ~[axis2_1.6.1.wso2v80.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:376) ~[synapse-nhttp-transport_2.1.7.wso2v271.jar:?]
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:190) ~[synapse-nhttp-transport_2.1.7.wso2v271.jar:?]
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) ~[axis2_1.6.1.wso2v80.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_312]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_312]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]

Affected Component

APIM

Version

4.1.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

github-actions[bot] commented 2 years ago

This issue is NOT closed with a proper Resolution/ label. Make sure to add proper reason label before closing. Please add or leave a comment with the proper reason label now.

      - Resolution/Cannot Reproduce - Issue cannot be reproduced.
      - Resolution/Duplicate - Issue is already reported before.
      - Resolution/Fixed - Issue has already been fixed.
      - Resolution/Answered - Issue has already been answered.
      - Resolution/Invalid - Issue is invalid.
      - Resolution/Not a bug - Issue is not a bug.
      - Resolution/Postponed - Issue is postponed.
      - Resolution/Won’t Fix - Issue won't be fixed.