3

I have the following problem:

My server responds to an HTTP POST with a 401 error. In the same webapp, I'm able to use an HTTP GET request and that works fine. I tested the POST request with postman and I'm able to get data successfully (so at least it's working)...

Request code (copied from Postman):

      var data = JSON.stringify({
        "query": {
          "objectTypeId": "168"
        }
      });

      var xhr = new XMLHttpRequest();
      xhr.withCredentials = true;

      xhr.addEventListener("readystatechange", function () {
        if (this.readyState === 4) {
          console.log(this.responseText);
        }
      });

      xhr.open("POST", <here is my url>);
      xhr.setRequestHeader("Content-Type", "application/json");
      xhr.setRequestHeader("crossdomain", "true");
      xhr.setRequestHeader("Authorization", "Basic XXXXXXXX");

      xhr.send(data);

Most of the threads I found related to this problem are pointing at the CORS configuration, but I think this is working because the get-request works. Anyways, here's the CORS configuration:

web.xml:

    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    <init-param>
        <param-name>cors.configurationFile</param-name>
        <param-value>/WEB-INF/cors.properties</param-value>
    </init-param>
</filter>

cors.properties:

cors.allowGenericHttpRequests = true
cors.allowOrigin=*
cors.supportsCredentials = true
cors.supportedMethods=GET, POST, HEAD, PUT, DELETE, OPTIONS
cors.supportedHeaders=*
Venantius
  • 2,471
  • 2
  • 28
  • 36
snapmate
  • 31
  • 1
  • 1
  • 2

1 Answers1

0

This is, in fact, a CORS issue. Your API needs to answer those OPTIONS requests properly otherwise the browser is going to block the request. Relevant external link: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.

Other people on SO have also provided other, more in-depth answers to this problem. A great long-form answer can be found here.

Venantius
  • 2,471
  • 2
  • 28
  • 36
  • i take a look at it. Thanks a lot for now :) – snapmate Apr 20 '18 at 11:59
  • Meh... i tryed this curl request and my answer doesnt help me... the guy in this thread doesnt talk about a 401 response :/ HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=9F19A2240C0379723974376E8FB6FD19; Path=/; HttpOnly Connection: keep-alive WWW-Authenticate: Basic realm="x-gateway" Transfer-Encoding: chunked Date: Fri, 20 Apr 2018 12:17:56 GMT – snapmate Apr 20 '18 at 12:22
  • hmmmm.... so it seems that u have to pass ur login credentials in curl in the url itself... like: http://username:password@theApiURL.... now i get my 204 response in curl: HTTP/1.1 204 No Content Set-Cookie: JSESSIONID=7C96B00F0E58FBC901CA57F30182F5C9; Path=/; HttpOnly X-Application-Context: os-gateway:prod:80 Server: Apache-Coyote/1.1 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: myurl Vary: Origin Allow: HEAD, POST, GET, OPTIONS Date: Mon, 30 Apr 2018 08:48:46 GMT but somehow when i run my app in the browser it still says: 401 Unauthorized any ideas? – snapmate Apr 30 '18 at 08:53
  • As I have said before, this is a CORS issue. CORS issues crop up in the browser but not via browserless HTTP clients like Postman, curl etc. The fact that you receive 401 and the other guy got 403 is irrelevant - the fundamental issue is the same and the difference is a result of your having different servers with different CORS middleware. – Venantius Apr 30 '18 at 10:43