2

I have one frontend application at AWS beanstalk (i.e.: http://app1.elasticbeanstalk.com/) and second backend application at AWS beanstalk (i.e.: http://app2.elasticbeanstalk.com/). When I am making ajax post by jquery from frontend application to backend application I am getting:

XMLHttpRequest cannot load http://app2.elasticbeanstalk.com/restUrl. 
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'http://app1.elasticbeanstalk.com' is therefore not allowed access.

I am using tomcat platform on both sides of ajax request. I would love to use "cors.allowed.origins" parameter from documentation: https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter/Initialisation_parameters . But I do not know how edit this parameter in AWS administration panel. How to configure beanstalk for app2 to accept parametrized domain from app1? I do not want to hardcode domain inside WAR.

Diagram with communication:

     b
+    l+------+Internet                            +
|    o|        +                                  |
|    c|        |JQuery Ajax request               |
+----k+-------------------------------------------+
|    e|        |                                  |
|    d|        v                                  |
|     |       http://app1.elasticbeanstalk.com/   |
|    c|        +  (frontend app security group)   |
+----o+-------------------------------------------+
|    n|        |                                  |
|    n|        |JQuery Ajax request               |
|    e|        v                                  |
|    c+-----> http://app2.elasticbeanstalk.com/   |
|    t         +  (backend app security group)    |
|    i         |                                  |
+----o--------------------------------------------+
|    n         |                                  |
|              | JDBC Query                       |
|              v                                  |
|             RDS (RDS security group)            |
+-------------------------------------------------+
Radosław Osiński
  • 396
  • 6
  • 20
  • 1
    This is not a common way to set up a backend. For starters, why do you want your backend exposed to the Internet? Consider changing such that your jquery only calls APIs on app1 and then have app1 send the command to app2. In fact, you may want to use elastic beanstalk worker tier for this. – dkarchmer Feb 07 '16 at 18:08
  • I agree. I do not want to expose bakend application to the internet. Frontent app is the only tier exposed to the internet via security group. Backend app is in second security group "talking" to the frontend app security group and another security group related with RDS. I thought that backend app security group with inbount rule for http port exposed to frontent app security group will cut entire access from the internet to the backend app. I am trying to call REST command on backend app2 from frontend app1. – Radosław Osiński Feb 07 '16 at 20:12
  • 1
    But you said you are trying to access the app2 API via jquery. jquery is running on the client browser (the public internet), so you must open a public HTTP port on app2 before jquery can access it. In fact, that's your problem right there. – dkarchmer Feb 07 '16 at 20:15
  • You are right. That was my problem. Problem above is taken from my "pet project" / "proof of concept" application thats whay I am responding so late. AWS changes a lot in thinking about application security. Thanks for answer. – Radosław Osiński Feb 21 '16 at 15:06

0 Answers0