SimonBin commented on issue #1516: URL: https://github.com/apache/jena/issues/1516#issuecomment-1239766512
Hi Andy, thanks for the answer. I agree this issue is confusing. FYI: building fuseki with #1520 does **not** seem to be related to this issue On the whatwg page, I found this following note: > **Note** > For a [CORS-preflight request](https://fetch.spec.whatwg.org/#cors-preflight-request), [request](https://fetch.spec.whatwg.org/#concept-request)’s [credentials mode](https://fetch.spec.whatwg.org/#concept-request-credentials-mode) is always "same-origin", i.e., it **excludes credentials**. I found this additional resource about OPTIONS: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS Basically, the web browser will always send an OPTIONS request without any credentials ("CORS-preflight") and the server is supposed to reply with `HTTP/1.1 200 OK` / `Access-Control-Allow-Credentials: true` (no Content is sent) However, if we add `/**=authcBasic,user[admin]`, then OPTIONS are also password protected and the response is `HTTP/1.1 401 Unauthorized` Thus, a shiro-protected Fuseki cannot be used with cross-site requests. You can observe this e.g. in the "Web developer tools > Network" in Firefox. I also did not have much luck finding any reports about this on the shiro side. I found those 2 unanswered issues/questions from 2014: - [ ] https://issues.apache.org/jira/browse/SHIRO-508 - [ ] https://lists.apache.org/thread/5s1j5l49bl282cd0xodyw5l1vzkrcqjh -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
