0

This is my trouble:

With $http I'm trying to make a request. This is the response:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8383' is therefore not allowed access.

I just enable all that I need to make CORS request. This is on my server:

  httpResponse.setHeader("Access-Control-Allow-Origin", "*");
  httpResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
  httpResponse.setHeader("Access-Control-Max-Age", "3600");
  httpResponse.setHeader("Access-Control-Allow-Headers", "x-requested-with, bbtoken, CUSTOM_AUTH_TOKEN, Authorization");
  httpResponse.setHeader("Access-Control-Expose-Headers", "CUSTOM_AUTH_TOKEN");

This is the code from Angular:

 $http({
                    method: 'GET',
                    url: 'http://www.myurl\:8080/mypath/myservice',
                    headers: {
                        CUSTOM_AUTH_TOKEN: SessionService.currentUser.token
                    }

                })
                        .success(function(data, status, headers, config) {
                            successCallback(data);
                        })
                        .error(function(data, status, headers, config) {
                            console.error(data);
                        });

But I found an infamous 401 Auth Error.

If I try with cURL or RestConsole (chrome), all is ok... I cannot understand the mistake!

Thanks!

UPDATE

This is the source request header

OPTIONS /mypath/blabla HTTP/1.1
Host: myhost
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Access-Control-Request-Method: GET
Origin: http://localhost:8383
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Access-Control-Request-Headers: custom_auth_token
Accept: */*
Referer: http://localhost:8383/index.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it

UPDATE WITH RESPONSE

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Restricted Service"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1079
Date: Sun, 08 Jun 2014 08:08:32 GMT
Improve this question
5
  • You have to handle the OPTIONS request and send back the allow headers with empty response body (the easiest way to do that in a server config file). Btw you did not allow the content-type header. According to this: stackoverflow.com/questions/12320467/… any non basic html related content type such as json will cause a preflight. Commented Jun 7, 2014 at 10:40
  • You've edited this to show the OPTIONS request, now look at the response you are sending back for it. Commented Jun 7, 2014 at 11:13
  • The response seems indicate that the custom_auth_token is not passed... I'm not sure, but if you check the request, you cannot find : custom_auth_token:'hextoken' but Access-Control-Request-Headers: custom_auth_token. Is possible that this is the problem? Commented Jun 8, 2014 at 10:13
  • 1
    It is certainly a contributing factor. Why are you requiring authorization to determine what headers an XHR request is allowed to include in the first place? Commented Jun 8, 2014 at 11:35
  • CORS do not accept values inside OPTION method, but only the name of the headers. Your question is useful, in fact now, I'm checking spring security configuration. I think that happen a not standard HTTP behaviour (OPTIONS with auth) Commented Jun 8, 2014 at 12:20

2 Answers 2

Reset to default
1

You are adding a custom HTTP request header to the request, this prevents the request from being simple and makes it preflighted.

Before the browser will make the GET request, it will make an OPTIONS request to ask if the extra header is acceptable.

You need to set up your server so it will respond with suitable CORS headers to the OPTIONS request as well as the GET request.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

About xxx_me_cookie it's a my mistake. I've updated the post: I changed my original values with other.
isn't enough? httpResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
Not if that's the code to set a header on the response to the GET request which is never made because the OPTIONS request doesn't get a suitable response.
1

Solved: The problem came from by Spring Security. A nonsense configuration about security, needs authentication (by custom filter) on all request. OPTION included. By for HTTP standards, the headers inside the OPTION do not contain values, but only name (of the headers)

This is the solution for my trouble: 

    <intercept-url pattern="/**" access="permitAll" method="OPTIONS" requires-channel="any"/>
Improve this answer

6 Comments

hey, i am also facing the same issue, but could not resolve even after your solution. Could you please send the spring-security file contents?
I'm sorry , but I finished work on this project and I have no longer access to the code . But if you give me some more details , I can help you.
<security:http entry-point-ref="CSSCustomAuthenticationEntryPoint" authentication-manager-ref="hybrid" pattern="/**" use-expressions="true" auto-config="false" create-session="stateless"> <security:custom-filter ref="userAuthenticationProcessingFilter" position="FORM_LOGIN_FILTER" /> <security:intercept-url pattern="/**" access="permitAll" method="OPTIONS" requires-channel="any" /> <security:intercept-url pattern="/**" access="isFullyAuthenticated()" /> </security:http>
I have above configuration, but my OPTIONS request is still getting authenticated. I am trying to not authenticate all requests with OPTIONS request.
I think with the following line <security:intercept-url pattern="/**" access="isFullyAuthenticated()" /> </security:http> your still close all of your http methods with Spring Security
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.