Right now i am building a rest api running at a Tomcat 8 which is using the CorsFilter of Apache to allow Cross Domain Requests which i set at my web.xml like that:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/webapi/*</url-pattern>
</filter-mapping>
So far so easy now i wanted to add a DIGEST authentication to my Rest-API, yes digest NOT basic!
For simple usage i wanted to use the security-constraints at the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/webapi/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
The Authentication and the CORS filter works fine on there own, but here starts problem: The security constraint is executed by the servlet container before the CORS Filter. So the authentication algorithm doesn't set the needed CORS(Cross domain request headers) at the Digest authentication headers, as a result a CORS-request will fail at the authentication, because digest 401 page with the "challange"(nonce, qop, realm, etc.) is missing the necessary headers for cross domain request. Does anyone now an solution or implementation for that problem? Or do i really need to implement my own digest filter because of CORS?!
