Bypassing authentication for "Options request" (so all headers are sent in the response)

Question

This is in the context of Cross-origin resource sharing. For the preflight request, the server is not sending the headers set. When a valid cookie is not passed with the "Options request", the server in it's response is not sending the headers I set, however, it's sending "200 OK". I checked this with curl as can be seen below (obviously, I replaced my valid cookie with a dummy "xyzabcde" here)

The curl request WITHOUT cookie:

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type"   -X OPTIONS --verbose   app1_url/jsonrpc.cgi

(sends below response...)

HTTP/1.1 200 OK
Date: Tue, 01 Oct 2013 11:37:36 GMT
Server: Apache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4531
Content-Type: text/html; charset=utf-8

with "-H Cookie:xyzabcde":

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde"  -X OPTIONS --verbose   app1_url/jsonrpc.cgi

(sends below response...)

HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8

The apache config looks something like...

<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header  always set  Access-Control-Allow-Credentials "true"
Header  always set  Access-Control-Allow-Headers    "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header  always set  Access-Control-Allow-Methods    "GET, POST, HEAD, PUT, OPTIONS"
Header  always set  Access-Control-Allow-Origin    "app2_url"
Header  always set  Access-Control-Max-Age  "1800"
.
.
.
<Directory /app1/dir/>      
    Options Includes FollowSymLinks ExecCGI MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
</Directory>
.
.
</VirtualHost>

How can I make all the headers be sent in response to unauthenticated requests? I guess, Options requests ideally are supposed to not require any authentication.

score 1 · Answer 1 · answered Jan 27 '20 at 11:15

We solved this with different configuration. Below is the snippet from myApplication.conf file at /usr/local/apache/conf/extra

    <Location "/myService">
      SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
      SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
      AuthType Basic
      AuthName "myService"
      AuthUserFile /usr/local/apache/conf/passwd/passwords
      AuthGroupFile /usr/local/apache/conf/passwd/groups
      Require group GroupName
      Order allow,deny
      Allow from env=REDIRECT_noauth
      Satisfy any
   </Location>

So, we can bypass the authentication:

Based on particular URI, in above example /healthCheck is bypassed
Based on HTTP method, in above example OPTIONS is bypassed and auth will be prompted for other HTTP methods

Hope it helps someone to resolve the issues.

score 0 · Accepted Answer · edited Nov 29 '17 at 16:30

0

"LimitExcept" directive solved it. In fact, prior to posting the question I tried the directive, however the mistake earlier was including the first two lines ("Options Includes..." and "Alowoverride...") within the "LimitExcept" block.

<Directory /app1/dir/>      
  Options Includes FollowSymLinks ExecCGI MultiViews
  AllowOverride None
  <LimitExcept OPTIONS>
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
  </LimitExcept> #<- syntax error fixed.
</Directory>

edited Nov 29 '17 at 16:30

Chris

5,788
4
29
40

answered Oct 03 '13 at 08:48

Krishna

49
1
4

1

There's a syntax error here. Section should be closed with . In the example it's missing the "/". – user1751825 Feb 08 '17 at 23:14

Bypassing authentication for "Options request" (so all headers are sent in the response)

2 Answers2

Linked