Since upgrading to 6.3 I’m having issues with CORS. I’ve tried adding @CrossOrigin(origins = “*”) directly above the @GetMapping in the controller. I’ve also tried adding mvc:cors
<mvc:mapping path="/rest/**"/>
</mvc:cors>
to the new rest-dispatcher-spring.xml file
I can’t seem to get it to allow the cross domain sharing.
ok after a little more digging, it seems it has something to do with me trying to add the ‘Authorization’ header with the Bearer (access_token). I add this to my request header when making the call from my angular 2 app.
If I just call it without adding that to the headers, then I can see the cross origin headers return, but I receive an unauthorized error.
Not sure why me adding a request header changes the way the response headers get added…
Basically if I call
http.get(url, new RequestOptions({body: ‘’, headers: newHeaders})
newHeaders = ‘Content-Type’: ‘application/json’
I receive a 401 unauthorized, with the following request/response headers when I inspect using chrome:
Request URL:http://10.1.24.45:8080/app-portal/rest/app/contact/phoneType/findAll
Request Method:GET
Status Code:401 Unauthorized
Remote Address:10.1.24.45:8080
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://10.1.24.45:4200
Cache-Control:no-store
Content-Type:application/json;charset=UTF-8
Date:Thu, 10 Nov 2016 06:25:01 GMT
Pragma:no-cache
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
WWW-Authenticate:Bearer realm=“rest-api”, error=“unauthorized”, error_description=“Full authentication is required to access this resource”
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:/
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
content-type:application/json
Host:10.1.24.45:8080
Origin:http://10.1.24.45:4200
Referer:http://10.1.24.45:4200/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
If I simply append this
headers.append(‘Authorization’, Bearer ${accessToken});
to headers I then receive the cors error and the request and response headers look like this:
Is there a better or preferred way to pass along the Authorization header than simply adding it to the headers? If I take the exact access_token I receive and run it through postman. I get the desired json results.
Can you please create and attach a small sample project that reproduces the issue? We need a CUBA project with one custom controller and a small client app that requests the REST API. That will help us to investigate your problem.
No because it wouldn’t even let me to the endpoint unless I’m authenticated. Can you provide the filter that you use to handle the access_token as a parameter that will pass the authentication test? I’m assuming something would have to read the access_token and then strip it off, then forward on to the original endpoint.
In case I can’t get this to work correctly, what’s the trick to just allow anonymous user for now? I’ve tried to set the property to true, but it still gives a unauthorized error.
I’ve tried adding:
cuba.rest.anonymousEnabled = true;
to the portal-app.properties
but as I step through the debug it still returns false in the CubaAnonymousAuthenticationFilter
Hi all, I have a similar problem. I implemented a custom controller to download pdf files from specific filesystem path, I tested it using oauth2 authentication (in a Browser) and now I’m trying to load pdf from polymer client using telecomsante pdf-viever (webcomponents.org - Discuss & share web components).
Problem is cors configuration in custom controller. Where can I find more information about
<cors configuration-source-ref="cuba_RestCorsSource"/> <<-------- What is this? A Spring Security filter in Cuba Framework that I want modify via XML configuration
in security section above.
I get is cors related errors, when testing with polymer serve which works on a different TCP port with respect to cuba platform WEB module (which is serving also rest in my case)
Bloccata richiesta multiorigine (cross-origin): il criterio di corrispondenza dell’origine non consente la lettura della risorsa remota da http://127.0.0.1:9090/app/rest/files/download/test.pdf. Motivo: header CORS “Access-Control-Allow-Origin” mancante.
(error in Italian in Firefox Developer tools)
Controller configuration is similar to the one included above.