Wildfly allow OPTIONS Methods but return 405 Method not allowed

Question

I'm trying to send xml with POST method in javascript using the XmlHttpRequest object. On my server I've a web service which receives SOAP request.

When I want to send xml, the browser previusly try to send a preflight OPTIONS request to the server, but it returns OPTIONS 405 Method Not Allowed.

The problem is that I've in my response header the Access-Control-Method-Allowed : POST,OPTIONS,GET,PUT so I guess my server accepts OPTIONS method, but my web service only understands POST request.

Here's some code :

 var xmlhttp = new XMLHttpRequest();
 xmlhttp.open('POST', url, false);
 var sr = mySoapRequest; //Here's my XML 

 xmlhttp.onreadystatechange =  () => {
     if (xmlhttp.readyState == 4) {
         if (xmlhttp.status == 200) {                           
             var xml = xmlhttp.responseXML;
             console.log(xml);
             this.showAlert(xml);
         }
     }
 }
 xmlhttp.setRequestHeader("content-type", "file/xml");
 xmlhttp.send(sr);

Here's my HTTP protocol request headers :

Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:fr-FR,fr;q=0.8,en;q=0.6,en-US;q=0.4
Access-Control-Request-Headers:content-type
Access-Control-Request-Method:POST
Connection:keep-alive
DNT:1
Host:192.168.149.127
Origin:http://192.168.149.1:8100
Referer:http://192.168.149.1:8100/?ionicplatform=android

Here's my HTTP protocol response headers :

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:accept, authorization, content-type, x-requested-with
Access-Control-Allow-Methods:GET, POST, OPTIONS, PUT
Access-Control-Allow-Origin:*
Access-Control-Max-Age:1
Connection:keep-alive
Content-Length:224
Content-Type:text/xml;charset=UTF-8
Date:Thu, 16 Feb 2017 10:25:33 GMT
Server:WildFly/8
X-Content-Type-Options:nosniff
X-FRAME-OPTIONS:SAMEORIGIN
X-Powered-By:Undertow/1
X-XSS-Protection:1

Any suggestions ?

score 5 · Answer 1 · edited May 23 '17 at 12:33

The problem is that I've in my response header the Access-Control-Method-Allowed : POST,OPTIONS,GET,PUT so I guess my server accepts OPTIONS method

No.

That just means that when you respond to whatever request you are putting that header in, you are telling the browser that it is acceptable to make cross-origin OPTIONS requests.

That does absolutely nothing to make your server respond to an OPTIONS request with 200 OK instead of 405 Method Not Allowed.

This answer suggests:

@OPTIONS
@Path("{path : .*}")
public Response options() {
    return Response.ok("")
            .header("Access-Control-Allow-Origin", "*")
            .header("Access-Control-Allow-Headers", "origin, content-type, accept, authorization")
            .header("Access-Control-Allow-Credentials", "true")
            .header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD")
            .header("Access-Control-Max-Age", "1209600")
            .build();
}

Indeed, you're right. As I can't have an access to the web-service code, I'll develop an other solution with a middleware service which does not use xmlhttprequest :) thanks for your answer — Couim, Feb 16 '17 at 12:37

Wildfly allow OPTIONS Methods but return 405 Method not allowed

1 Answers1