0

I am using Java Jersey and Jetty on my server-side and have the following piece of code:

    responseBuilder.header("Access-Control-Allow-Origin", "http://localhost:4200");
    responseBuilder.header("Access-Control-Allow-Headers", "origin, content-type, accept, authorization, auth-token");
    responseBuilder.header("Access-Control-Allow-Credentials", "true");
    responseBuilder.header("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT");
    responseBuilder.allow("OPTIONS");

and I'm using ember.js on my client-side and have the following code:

/app/adapters/application.js:

import DS from 'ember-data';

export default DS.RESTAdapter.extend({
    host: 'http://127.0.0.1:20000',

    ajax(url, method, hash) {
        hash = hash || {};
        hash.crossDomain = true;
        hash.xhrFields = {
            withCredentials: true
        };
        return this._super(url, method, hash);
    }
});

The combination of the code works that it sends the COOKIE as part of the request and resolves the Access-Control-Allow-Origin problem.

However, my concern is that the "http://localhost:4200" is hard-coded. While it is not a problem until deployment, I suppose this restricts traffic only from http://localhost:4200? It is a web application and obviously I need to allow access from any client coming from anywhere. What changes do I need to make to my code?

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
ikevin8me
  • 4,253
  • 5
  • 44
  • 84

1 Answers1

1

obviously I need to allow access from any client coming from anywhere

I think there is a misunderstanding in here. Access-Control-Allow-Origin specifies the server of your client application.

Does your client application run on a specific origin?

  • If yes: There is no problem. Define some profiles to your application. By doing so you may define the origin of the server of your client app at your production profile.
  • If no: You can use "*" to accept all origins in your cors filter. If this piece of code is written by you, just parameterize the second parameter as to give client's hostname. It should be something like: request.getRemoteHost();.
ykaragol
  • 6,139
  • 3
  • 29
  • 56
  • When using the wildcard you can't use credentials tho. – Lux Jan 28 '17 at 22:22
  • I put "*" and indeed threw an error. I have to send JWT as a cookie to the server so I can't use wildcard. – ikevin8me Jan 29 '17 at 03:02
  • @ykaragol as you said "Access-Control-Allow-Origin specifies the server of your client application"... I'm relieved to hear this. Yes, my server app will run on a specific origin. So based on what you have said, I won't have any problem at all, right? – ikevin8me Jan 29 '17 at 03:03
  • yes, just write the url of the origin/server of your client application. (If the server of your ember app is at the same origin with your java app, you would not face with any cors issues. – ykaragol Jan 29 '17 at 06:34
  • "`*`" is generally used in configuration files for cors filters.You may not need to write that piece of code, you may configure cors filter written for this problem. – ykaragol Jan 29 '17 at 06:39
  • In our production environment, ember.js apps are at the nginx. All java servers are behind that nginx. They share the same origin, so we don't have any cors issues in our production environment. But in development environments we are using cors filters (coming with spring boot). – ykaragol Jan 29 '17 at 06:43
  • @ikevin8me is it ok? Or do you have any issues? – ykaragol Jan 30 '17 at 13:25