ajax - CORS - how to ignore authentication for OPTIONS preflight request in Apache's httpd.conf?

Question

I'm new to CORS and have learnt that the OPTIONS preflight request sent by the browser excludes user credentials. How do I get the filter (in httpd.conf) to respond to OPTIONS requests differently, i.e bypassing the authentication ?

This is my current configuration :

<LocationMatch /api>
SetEnvIfNoCase Origin "https://(www.)?(domain1.com|domain2.com)(:d+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
AuthFormProvider ldap
AuthLDAPURL "ldap://localhost:10889/ou=Users,dc=work,dc=com?uid"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
Require valid-user
ErrorDocument 401 /login.html
ErrorDocument 500 /error.html
AuthType form
AuthName realm
Session On
SessionMaxAge 1800
SessionDBDCookieName session path=/
ProxyPass  http://localhost:8080 timeout=31536000
AuthFormFakeBasicAuth On
</LocationMatch>

And the javascript which makes the request :

$.ajax({
        type : "DELETE",
        url : "https://www.domain1.com/api",
        xhrFields: {
            withCredentials: true,
        },
        success : function(data){

        },
});

I've tried the follwoing but with no luck :

(a)

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]

(b)

<Limit OPTIONS>
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "false"
Header always set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
Header always set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS,PUT"
</Limit>

(c)

<Limit OPTIONS>
Allow for all
</Limit>

(d)

SetEnvIfNoCase Request_Method OPTIONS allowed

Any idea ? Please help !

Answer 1

I had the same issue which I solved today with the help of this question. Basically your option c.

My conf structure is:

conf/httpd.conf <- normal stuff   
conf.d/ssl.conf <- set up ssl stuff  
conf.d/api.conf <- set specific stuff to api like Auth  
/var/www/.htaccess <- set specific stuff to api again   

This allows for limiting everything except for OPTIONS

/conf.d/api.conf file:

<Directory "/var/www/api">
  AllowOverride All
  Options FollowSymLinks

  <LimitExcept OPTIONS>
    Auth stuff here
    Mainly your Require statements
  </LimitExcept>
</Directory>

Then in my .htaccess file I set the headers.

The Apache manual in the require directive states "Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> [or <LimitExcept>] section."

I had to make sure my application could handle OPTIONS as this setup is not doing an automatic return. Here or here one can see how to redirect which may work instead of having something in the application handle it.