Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS preflight request returning HTTP 401 with windows authentication

I searched a lot on Google and Stack overflow to find a solution for my problem, but nothing worked.

Here is my problem:

  • I use IIS 7 with a special programming environment called WebDEV that does not allow direct manipulation of OPTIONS HTTP method. So, all solutions suggesting some kind of server-side request handling using code are not feasible.

  • I have to use Window authentication and disable anonymous access

  • I have a page that uses CORS to POST to this server. As this POST should have Content-type: Octet-stream, a preflight is issued by the browser.

  • When I enable anonymous access, everything works fine (CORS is well configured)

  • When I disable anonymous access, the server replies with HTTP 401 unauthorized response to the preflight request, as it does not contain credentials information.

  • I tried to write a module for IIS that accepts OPTIONS requests like this, but it did not work (couldn't add the module correctly to IIS, maybe)

    public class CORSModule : IHttpModule
       {
    
              public void Dispose() { 
              }
    
              public void Init(HttpApplication context)
              {
                   context.PreSendRequestHeaders += delegate
                   {
                      if (context.Request.HttpMethod == "OPTIONS")
                       {
                             var response = context.Response;
                             response.StatusCode = (int)HttpStatusCode.OK;
                       }
                   };
              }
        } 
    

The question is: How can I make IIS respond with HTTP 200 to the preflight request without enabling anonymous access or writing some server-side code? Is there an easy configuration or a ready-made module for IIS to do so? At least, what are the detailed steps to install the above module into IIS 7?

like image 331
AhmadWabbi Avatar asked Jul 05 '16 11:07

AhmadWabbi


2 Answers

From AhmadWabbi's answer, easy XML pasting into your web.config:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="CORS Preflight Anonymous Authentication" stopProcessing="true">
                <match url=".*" />
                <conditions>
                    <add input="{REQUEST_METHOD}" pattern="^OPTIONS$" />
                </conditions>
                <action type="CustomResponse" statusCode="200" statusReason="Preflight" statusDescription="Preflight" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
like image 193
DoubleJ Avatar answered Nov 04 '22 17:11

DoubleJ


Here is the solution that uses "URL Rewrite" IIS module. It works perfectly.

1- Stop IIS service (maybe not necessary)

2- Install "web platform installer" from https://www.microsoft.com/web/downloads/platform.aspx

3- Go to "Applications" tab and search for "URL Rewrite" and download it

4- Install this hotfix KB2749660 (maybe not necessary)

5- Open IIS configuration tool, double click "URL Rewrite"

6- Add a new blankrule

7- Give it any name

8- In "Match URL", specify this pattern: .*

9- In "Conditions", specify this condition entry: {REQUEST_METHOD} and this pattern: ^OPTIONS$

10- In "Action", specify: action type Personalized response, state code 200, reason Preflight, description Preflight

11- Start the server

Now, the server should reply with a 200 status code response to the preflight request, regardless of the authentication.

Remarks: I also disabled all compression, I don't know if it matters.

like image 7
AhmadWabbi Avatar answered Nov 04 '22 19:11

AhmadWabbi