CORS OPTIONS error on delivery api endpoint while using SPA Front end app

[Chandan Agarwal]

Hello,

I have converted my existing angular application to a magnolia SPA app.

When I start my application and fetch data via the magnolia deliver api, a pre-flight CORS request is issued which gives me the following CORS error

Access to XMLHttpRequest at 'http://localhost:9080/author/.rest/delivery/pages/v1/spa-site/cms' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

On the same request I get the following error in magnolia logs

[INFO] [talledLocalContainer] 2021-09-07 11:24:33,663 [http-nio-9080-exec-6] ERROR info.magnolia.rest.RestExceptionMapper            : Exception thrown executing REST endpoint, returning 500

[INFO] [talledLocalContainer] org.jboss.resteasy.spi.DefaultOptionsMethodException: RESTEASY003655: No resource method found for options, return OK with Allow header

I followed the following tutorial  (https://docs.magnolia-cms.com/product-docs/6.2/Administration/Architecture/Request-processing-and-filters/CORS.html) and configured the following settings

I also have SiteAwareCorsFilter configured on the filters level as per the tutorial.

I am using a community edition with version 6.2.4.

Could you please help me solve this problem.

Thanks in advance.

[Bartosz Staryga]

Hey,

Your CORS setup looks good.
What might be misconfigured is the security access to the URL you call with anonymous users. You can set it up in Security app.
You can find how to do it in this blog post: https://www.magnolia-cms.com/blog/headless-magnolia-rest-endpoint-security-and-cors.html

The reason why you might still see CORS error is due to the wrong default order in the filter chain in the Configuration app (should be fixed with next release).
For now, please try cors before uriSecurity.
You should then get a correct forbidden error.

Cheers,
Bartosz

--
You received this message because you are subscribed to the Google Groups "Magnolia User Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to user-list+...@magnolia-cms.com.
To view this discussion on the web, visit https://groups.google.com/a/magnolia-cms.com/d/msgid/user-list/f7449416-30d4-4031-9760-8ccf65e20fden%40magnolia-cms.com.

--

Best regards,

Bartosz Staryga

Front-End Solution Architect, Headless Expert
bartosz...@magnolia-cms.com 

Magnolia 
Oslo-Strasse 2, 4142 Münchenstein (Basel), Switzerland
Office: +41 61 228 90 00 www.magnolia-cms.com 
 

[Bartosz Staryga]

Hey José,

Property class in your cors is wrong.
It should be: info.magnolia.cors.SelfConfiguredCorsFilter

I am guessing you only changed the SiteAwareCorsFilter part to SelfConfiguredCorsFilter, not the whole class. The same mistake I did multiple times :)
The change should to the full value of the class as they are a bit different:

• info.magnolia.module.site.filters.SiteAwareCorsFilter
  
• info.magnolia.cors.SelfConfiguredCorsFilter
  

Let me know if that was the issue.
I'll try to make it more explicit in docs too.

Cheers,
Bartosz

On Tue, 28 Dec 2021 at 11:49, José Carlos Lara <jose...@logixsdigital.com> wrote:

Hello Bartosz,

I reached to the same error and I have not clue how to fix it...

My Cors configuration is also like the reporter one. I also added configuration to server/filters/cors as in the provided link:

My superuser, anonymous and rest-anonymous have all the acesses granted.

I also moved cors befoure uriSecurity

Any idea why I still getting this error on OPTIONS call?

Thank you in advance.

Cheers.