CORS issue after upgrading to 6.3

kent.llewelyn · November 10, 2016, 3:59am

Since upgrading to 6.3 I’m having issues with CORS. I’ve tried adding @CrossOrigin(origins = “*”) directly above the @GetMapping in the controller. I’ve also tried adding
mvc:cors
<mvc:mapping path="/rest/**"/>
</mvc:cors>
to the new rest-dispatcher-spring.xml file
I can’t seem to get it to allow the cross domain sharing.

Any ideas?

kent.llewelyn · November 10, 2016, 4:51am

ok after a little more digging, it seems it has something to do with me trying to add the ‘Authorization’ header with the Bearer (access_token). I add this to my request header when making the call from my angular 2 app.

If I just call it without adding that to the headers, then I can see the cross origin headers return, but I receive an unauthorized error.

Not sure why me adding a request header changes the way the response headers get added…

any help would be appreciated.

kent.llewelyn · November 10, 2016, 6:26am

Basically if I call
http.get(url, new RequestOptions({body: ‘’, headers: newHeaders})

newHeaders = ‘Content-Type’: ‘application/json’

I receive a 401 unauthorized, with the following request/response headers when I inspect using chrome:

Request URL:http://10.1.24.45:8080/app-portal/rest/app/contact/phoneType/findAll
Request Method:GET
Status Code:401 Unauthorized
Remote Address:10.1.24.45:8080
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://10.1.24.45:4200
Cache-Control:no-store
Content-Type:application/json;charset=UTF-8
Date:Thu, 10 Nov 2016 06:25:01 GMT
Pragma:no-cache
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
WWW-Authenticate:Bearer realm=“rest-api”, error=“unauthorized”, error_description=“Full authentication is required to access this resource”
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:/
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
content-type:application/json
Host:10.1.24.45:8080
Origin:http://10.1.24.45:4200
Referer:http://10.1.24.45:4200/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

If I simply append this
headers.append(‘Authorization’, Bearer ${accessToken});
to headers I then receive the cors error and the request and response headers look like this:

Request URL:http://10.1.24.45:8080/app-portal/rest/app/contact/phoneType/findAll
Request Method:OPTIONS
Status Code:403 Forbidden
Remote Address:10.1.24.45:8080
Response Headers
view source
Content-Length:0
Content-Type:text/plain
Date:Thu, 10 Nov 2016 06:18:05 GMT
Server:Apache-Coyote/1.1
Request Headers
view source
Accept:/
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:authorization, content-type
Access-Control-Request-Method:GET
Cache-Control:max-age=0
Connection:keep-alive
Host:10.1.24.45:8080
Origin:http://10.1.24.45:4200
Referer:http://10.1.24.45:4200/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

kent.llewelyn · November 10, 2016, 6:29am

Is there a better or preferred way to pass along the Authorization header than simply adding it to the headers? If I take the exact access_token I receive and run it through postman. I get the desired json results.

gorbunkov · November 10, 2016, 8:26am

An access token can also be passed as a query parameter with a name access_token. You can find an example here: Files Downloading - CUBA Platform. Developer’s Manual

gorbunkov · November 10, 2016, 8:29am

Can you please create and attach a small sample project that reproduces the issue? We need a CUBA project with one custom controller and a small client app that requests the REST API. That will help us to investigate your problem.

kent.llewelyn · November 10, 2016, 5:19pm

I’ve tried this solution, but then I get a 404 error.

kent.llewelyn · November 10, 2016, 5:30pm

BTW this is calling a custom controller off the /rest dispatcher, not in the v2 path of your new rest api version 2

So I guess I’d need to have each endpoint know to look for the access_token parameter?

kent.llewelyn · November 10, 2016, 5:38pm

No because it wouldn’t even let me to the endpoint unless I’m authenticated. Can you provide the filter that you use to handle the access_token as a parameter that will pass the authentication test? I’m assuming something would have to read the access_token and then strip it off, then forward on to the original endpoint.

kent.llewelyn · November 10, 2016, 5:56pm

In case I can’t get this to work correctly, what’s the trick to just allow anonymous user for now? I’ve tried to set the property to true, but it still gives a unauthorized error.

kent.llewelyn · November 10, 2016, 9:08pm

I’ve tried adding:
cuba.rest.anonymousEnabled = true;
to the portal-app.properties
but as I step through the debug it still returns false in the CubaAnonymousAuthenticationFilter

Is there somewhere else that I should set it?

kent.llewelyn · November 11, 2016, 4:08am

OK, I think I figured out the anonymous issue. I added the property to a local.app.properties file in the web-inf folder.

gorbunkov · November 11, 2016, 7:19am

Here is a configuration from the documentation:


    <security:http pattern="/rest/myapi/**"
                   create-session="stateless"
                   entry-point-ref="oauthAuthenticationEntryPoint"
                   xmlns="http://www.springframework.org/schema/security">
        <!-- Specify one or more protected URL patterns-->
        <intercept-url pattern="/rest/myapi/**" access="isAuthenticated()"/>
        <anonymous enabled="false"/>
        <csrf disabled="true"/>
        <cors configuration-source-ref="cuba_RestCorsSource"/>
        <custom-filter ref="resourceFilter" before="PRE_AUTH_FILTER"/>
        <custom-filter ref="cuba_AnonymousAuthenticationFilter" after="PRE_AUTH_FILTER"/>
    </security:http>

resourceFilter here is the one that performs authentication check. The java class is OAuth2AuthenticationProcessingFilter.

f.demassis · July 1, 2019, 5:46pm

Hi all, I have a similar problem. I implemented a custom controller to download pdf files from specific filesystem path, I tested it using oauth2 authentication (in a Browser) and now I’m trying to load pdf from polymer client using telecomsante pdf-viever (webcomponents.org - Discuss & share web components).
Problem is cors configuration in custom controller. Where can I find more information about

<cors configuration-source-ref="cuba_RestCorsSource"/>  <<-------- What is this? A Spring Security filter in Cuba Framework that I want modify via XML configuration

in security section above.

I get is cors related errors, when testing with polymer serve which works on a different TCP port with respect to cuba platform WEB module (which is serving also rest in my case)

Bloccata richiesta multiorigine (cross-origin): il criterio di corrispondenza dell’origine non consente la lettura della risorsa remota da http://127.0.0.1:9090/app/rest/files/download/test.pdf. Motivo: header CORS “Access-Control-Allow-Origin” mancante.
(error in Italian in Firefox Developer tools)
Controller configuration is similar to the one included above.

Thanks in advance,
Fabrizio