How to set/edit "Access-Control-Allow-Origin" in response-header for "OPTIONS request method"?

[anh vu kieu]

I'm building website with font-end that is written by Angular and it send request to back-end (Moqui) through out Rest-API. My website require User authenticated to use features, so every request is sent from front-end, I must add attribute "withCredentials: true" to make Angular append JSESSIONID in Cookie (server will use JSSESSIONID to get info about logged user) when sending to server. However, Angular always send HTTP OPTIONS Request first to check CORS policy, and the attribute 'Access-Control-Allow-Origin' in response header for this request have value is "*",  so Angular throw the error "Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute." How can I edit attribute "Access-Control-Allow-Origin" for the OPTIONS-method request, or any solution better than edit it? Please help me, I spend amount of time to find the solution but not resolved now!

[Stephen Agyepong]

see response to

[moqui] Enable CORS support in Moqui Inbuilt Jetty Server

On Sat, Apr 27, 2019 at 12:05 AM anh vu kieu <kieua...@gmail.com> wrote:

I'm building website with font-end that is written by Angular and it send request to back-end (Moqui) through out Rest-API. My website require User authenticated to use features, so every request is sent from front-end, I must add attribute "withCredentials: true" to make Angular append JSESSIONID in Cookie (server will use JSSESSIONID to get info about logged user) when sending to server. However, Angular always send HTTP OPTIONS Request first to check CORS policy, and the attribute 'Access-Control-Allow-Origin' in response header for this request have value is "*",  so Angular throw the error "Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute." How can I edit attribute "Access-Control-Allow-Origin" for the OPTIONS-method request, or any solution better than edit it? Please help me, I spend amount of time to find the solution but not resolved now!

--
You received this message because you are subscribed to the Google Groups "Moqui Ecosystem" group.
To unsubscribe from this group and stop receiving emails from it, send an email to moqui+un...@googlegroups.com.
To post to this group, send email to mo...@googlegroups.com.
Visit this group at https://groups.google.com/group/moqui.
To view this discussion on the web visit https://groups.google.com/d/msgid/moqui/8e8df740-24da-49f5-a62f-95c291998d21%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[David E Jones]

This is something I've been meaning to work on for a while, hoping a real world use case on some project I'm involved with would need it, but oh well... worked on it a bit this morning. Please see this commit to moqui-framework:

https://github.com/moqui/moqui-framework/commit/2542980cf3d3212a1ed02d32cc45cf834c0bd1e5

With an external CORS filter or proxy this isn't needed (without this change just make sure the CORS filter or proxy handles the full OPTIONS request rather than forwarded it).

In general I'd recommend learning about this stuff before you set things up:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

There are various other replies on this mailing list and on GitHub that include the use of a wildcard to allow any origin and that is generally not a good idea. The new default in Moqui is same origin only unless '*' is explicitly configured, as it is now using the 'webapp_allow_origins' property in the MoquiDevConf.xml file (can also be set as a Java property or env var like other default-property instances).

There are various additional CORS related headers added in the MoquiDefaultConf.xml file that you can override in a component or runtime MoquiConf.xml file. This uses the functionality that has been there for a while to add configured headers for different types of requests using the webapp.response-header element in the Moqui Conf XML file.

The allow origins configuration is more complex, can't just be a static value. This new code implements the recommended logic of returning the Origin request header value in the Access-Control-Allow-Origin response header if the origin is allowed, and return a 401 error if the origin is not allowed (many filters don't do this, protects against such requests even if not enforced by the browser, but still relies on the presence of the Origin request header).

For the OP if you need more info on how the Moqui Conf XML file works see:

https://www.moqui.org/m/docs/framework/Run+and+Deploy#a2.RuntimeDirectoryandMoquiConfigurationXMLFile

-David

To view this discussion on the web visit https://groups.google.com/d/msgid/moqui/CAEMBq35srq7kVbNBgk71noiZHKTJObORHEWFCjx68pmyHEvhsg%40mail.gmail.com.

[anh vu kieu]

@David E Jones: a lot of thank for your instructions, I use nginx to map request from Angular to rest-api in moqui, so I think I need config  Access-Control-Allow-Origin in nginx's config file! 

To view this discussion on the web visit https://groups.google.com/d/msgid/moqui/CAKBdU9ffedLXT6hkhpX39QYrpJBn93602xo5W%2BL3bWMT_MSewA%40mail.gmail.com.