Is it safe to ignore Authentication for all HTTP.OPTIONS calls?

Question

I have a cross origin request to my service. The service expects a "Authentication" header to be a token.

The web client uses angularjs interceptor to pass the Authorization token, but gets

OPTIONS http://<domain>:<port>/xxxx 401 (Unauthorized)
XMLHttpRequest cannot load http://<domain>:<port>/xxxx. Response for preflight has invalid HTTP status code 401

And hence, couldn't get the Access-Control-Allow-Headers : Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With as the response. So the Authorization header in the following GET call is ignored!

But when i disabled the authentication for the OPTIONS method -- i added a antMatchers(HttpMethod.OPTIONS,"/**").permitAll() -- the web app was able to send Authorization header as expected.

Is it safe to have non-authenticated calls for all HTTP.OPTIONS method in my service?

Related question : Disable Spring Security for OPTIONS Http Method

Answer 1

The OPTIONS call is a way for the browser to establish whether or not the cross origin call to the API is allowed or not. The browser won't send the Authorization header on this call.

You just return a status code indicating whether the cross origin call is allowed (200 OK or 403 Forbidden). If allowed, the browser will make the actual request with the Authorization header and then you check the credentials.