1

I am writing a CRUD app using Jersey and Glassfish 4.0 with a React.js front end. My application class:

@ApplicationPath("API")
public class AppServ extends Application
{
    @Override
    public Set<Class<?>> getClasses() 
    {
        Set<Class<?>> classes = new HashSet<>();
        classes.add(RestRoot.class);
        classes.add(JacksonFeature.class);
        return classes;
    }
    
    @Override
    public Set<Object> getSingletons()
    {
        Set<Object> out = new HashSet<>();
        out.add(new CorsFilter());
        return out;
    }
}

My CORS Filter:

@Provider
@Priority(Priorities.HEADER_DECORATOR)
public class CorsFilter implements ContainerResponseFilter
{

    @Override
    public void filter(ContainerRequestContext requestContext, 
            ContainerResponseContext responseContext) throws IOException 
    {
        responseContext.getHeaders().add(
                "Access-Control-Allow-Origin", "*");
              responseContext.getHeaders().add(
                "Access-Control-Allow-Credentials", "true");
              responseContext.getHeaders().add(
               "Access-Control-Allow-Headers",
               "origin, content-type, accept, authorization, cookie");
              responseContext.getHeaders().add(
                "Access-Control-Allow-Methods", 
                "GET, POST, PUT, DELETE, OPTIONS, HEAD");
    }

}

The fetch executed by my front end:

fetch("MY_SERVER_IP:8080/FitAppBackend/API/food", {
    method: 'PUT',
    credentials: 'include',
    headers: {
        'Accept': '*/*',
        'Content-Type': 'application/json',
        'User-Agent': ''
    },
    body: JSON.stringify({
        name: this.state.fName,
        cals: this.state.cals,
        prot: this.state.prot,
        carbs: this.state.carbs,
        fat: this.state.fat
    })      
});

When I test the API with Postman, I get a 204 response, but the above fetch gives me a 403. My suspicion is that it has something to do with my CORS Filter, or the fact that a G_ENABLED_IDPS=google cookie is sent with the PUT by my browser. Any help would be greatly appreciated; I've been trying to fix this for hours.

ECJones
  • 21
  • 4

1 Answers1

0

The purpose of the Access-Control-Allow-Headers response header is to tell the browser which request headers are allowed for requests. The list you have is as follows: origin, content-type, accept, authorization, cookie. But in your request you are trying to set the User-Agent header. If you remove the header or add it to the list, it should work.

See also:

Paul Samsotha
  • 205,037
  • 37
  • 486
  • 720
  • I added User-Agent to the list, along with all the other headers that the web console told me were being sent in the request, but unfortunately it's still giving me a 403. The postman request also had headers that were unlisted, but it worked fine. I do appreciate the help. – ECJones Nov 23 '20 at 02:00
  • Postman and Browsers are different. The former doesn't care about the CORS protocol while the latter does. Is there an error message anywhere in the console? Also not all headers need to be added to the list. The headers automatically added by the browser do not need to be added. Just the ones you set manually that are not "safe" headers. Take some time to read some of the resources I linked to if you want to learn more about CORS. – Paul Samsotha Nov 23 '20 at 02:19