0

Here's the deal, any help would be greatly appreciated because as of now I am at a loss.

I'm setting custom headers in my jQuery.ajax like so:

$.ajax({
type:'GET',
url: url,
dataType: 'json',
headers: {
'customHeader': 'value',
}, etc...

I'm using spring mvc and spring security with a custom filter and getting the header like this:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
        ServletException {
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    httpResponse.setHeader("Access-Control-Allow-Origin", "*");
    String header = httpRequest.getHeader('customHeader');

Unfortunately the header is always null, I've tried things like using beforeSend in the ajax call still same effect. Can anyone please she some light on this?

Remote Address:127.0.0.1:8080 Request URL:http://localhost:8080/ecom/ws/session Request Method:OPTIONS Status Code:401 Unauthorized Request Headersview parsed OPTIONS /ecom/ws/session HTTP/1.1 Host: localhost:8080 Connection: keep-alive Access-Control-Request-Method: GET Origin: null User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Access-Control-Request-Headers: accept, ecom_string_s3c, ecom_client_uuid, content-type Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,es;q=0.6 Response Headersview parsed HTTP/1.1 401 Unauthorized Date: Wed, 02 Jul 2014 18:15:03 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Headers: ecom_string_s3c, ecom_client_uuid, content-type Content-Length: 0 Server: Jetty(6.1.26)

rpfujiw
  • 57
  • 1
  • 10
  • Why dont you use `data` instead of headers in your ajax call....don't reinvent the wheel :) – Hackerman Jul 02 '14 at 17:41
  • I'm basically rolling my own rest authentication implementation and I need the information for authentication to be stored in the header and to be separate from say the post data. – rpfujiw Jul 02 '14 at 17:43
  • http://stackoverflow.com/questions/10093053/add-header-in-ajax-request-with-jquery – Hackerman Jul 02 '14 at 17:45
  • I've looked at that several times the answer is quite vague – rpfujiw Jul 02 '14 at 17:55
  • basically I need to know how to access the header in my java filter from the httpServletRequest – rpfujiw Jul 02 '14 at 17:57
  • If you try `String header = "test";` it returns it??...just for testing purposes... – Hackerman Jul 02 '14 at 18:07
  • http://examples.javacodegeeks.com/enterprise-java/servlet/get-all-request-headers-in-servlet/ – Hackerman Jul 02 '14 at 18:09
  • yes, it does `String header = httpRequest.getHeader('customHeader');` returns null – rpfujiw Jul 02 '14 at 18:09
  • Ok, in your ajax call, if you open the network tab(Chrome, F12 key), can you please post the contents of the ajax call and the headers passed... – Hackerman Jul 02 '14 at 18:11
  • here are the contents of the ajax call – rpfujiw Jul 02 '14 at 18:16
  • I added them to original question – rpfujiw Jul 02 '14 at 18:20
  • This are your headers...`Access-Control-Request-Headers: accept, ecom_string_s3c, ecom_client_uuid, content-type`...try accesing one of them in your MVC method. – Hackerman Jul 02 '14 at 18:23
  • what would be the syntax for this getHeader('Access-Control-Request-Headers') I would think would just return the keys accept, ecom_string_s3c, ecom_client_uuid, content-type. I need the underlying values for these keys – rpfujiw Jul 02 '14 at 18:28
  • I post an answer, please check it – Hackerman Jul 02 '14 at 18:30
  • I'm using the same pattern as you and it works all right for me. I assume these are typos when pasting your code to SO, but just to be sure: You're doing `httpRequest.getHeader("customHeader")` on the server, right? (double quotes). And more crucially: In your ajax call get rid of the superfluous comma after "value": `headers: { 'customHeader': 'value' }` – Stefan Haberl Jul 02 '14 at 20:25

1 Answers1

1

For those who come across the same problem, this is an option to resolve this issue.

The problem is with the pre-flight request (OPTIONS). In your custom security filter you don't want to check this, simply because custom headers will NOT be sent with OPTIONS requests. OPTION requests are only there to check which methods, origins, headers, etc are allowed.

In your custom filter for token authorization, you could filter out those requests. A quick solution could look like this: 

 if (methode.equals("OPTIONS")) {
        log.info("OPTIONS REQUEST NO FILTER");
        chain.doFilter(req, res);
    } else {
      //Your filter
   }

This way it skips your filter on OPTION requests, and your real request will be sent with the headers allowed by your CORS Filter.

Good luck.

Mats de Swart
  • 538
  • 1
  • 4
  • 10
  • 1
    That is correct, I forgot to answer this question after I found the solution. What you suggested is exactly what I did – rpfujiw Oct 13 '14 at 16:01
  • What is `methode` here & How to get methods of request header to check this condition? – Alfran Nov 05 '20 at 14:53