0

I am trying to fire a cross-domain ajax request to the Apache Syncope rest API running on localhost port 9080 (http://localhost:9080/syncope/rest) and Tomcat 9, from another web app running locally as well on port 9090 and Tomcat 7 (http://localhost:9090/es). I have included the CORS filter configuration in both web.xml for syncope core and web.xml for tomcat 9 (conf/web.xml), as follows:

  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

The Ajax request from the requesting application is as so:

 $.ajax({
     url: "http://localhost:9080/syncope/rest/accessTokens/login",
     type: "POST",
     beforeSend: function(xhr) { 
         xhr.setRequestHeader("Authorization", "Basic " + btoa("admin:password")); 
       },
     crossDomain: true,
     //data: JSON.stringify(somejson),
     //dataType: "json",
     success: function (response) {
         var resp = JSON.parse(response)
         alert(resp.status);
     },
     error: function (xhr, status) {
         alert("error");
     }
 });

Really any rest URL on syncope I try to access gives the following response:

Access to XMLHttpRequest at 'http://localhost:9080/syncope/rest/accessTokens/login' from origin 'http://localhost:9090' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I know this is a CORS issue but I have already provided the tomcat configuration yet it still persists. Using a plugin / proxy is out of the question because on production this would need to be accessed over the internet.

Using the following curl command works just fine: curl -I -u admin:password -X POST http://localhost:9080/syncope/rest/accessTokens/login

Would anyone have any idea how to resolve the CORS policy issue?

Thanks in advance

George Nehme
  • 9
  • 1
  • Try doing an OPTIONS request with curl: `curl -i -X OPTIONS -H "Origin: http://localhost:9090" http://localhost:9080/syncope/rest/accessTokens/login`. That will emulate the CORS preflight OPTIONS request that your browser is sending. (And which is failing.) Don’t include the `-u admin:password` part, your browser won’t send authentication credentials in the preflight OPTIONS request. – sideshowbarker May 22 '20 at 18:48
  • Hello sideshowbarker, thanks for the suggestion, the curl command you provided resolves as follows: HTTP/1.1 200 Access-Control-Allow-Origin: *Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials vary: Access-Control-Request-Headers,Access-Control-Request-Headers,access-control-request-method Access-Control-Max-Age: 10 Access-Control-Allow-Methods: HEAD,POST,GET,OPTIONS,PUT Access-Control-Allow-Headers: origin,x-requested-with,access-control-request-method.... so i'm guessing that's working properly – George Nehme May 22 '20 at 18:56

0 Answers0