I am using websockets to communicate between server and client. I followed this documentation to implement websocket dependecy. Now when I try to connect via example client page it produces the following error:
Access to XMLHttpRequest at '....' from origin 'null' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I have tried adding .setAllowedOrigins("*") to WebSocketConfig but it didn't fix this. What is the solution?
As the error message says you are sending a request with credentials set to include, I guess you are sending some kind of token/access data with your request.
When doing so your server must respond with the correct origin. If you are in development try setting your localhost. For example .setAllowedOrigins("http://localhost:8080") or what ever you are using. In production you need to replace that with your deployment url.
You might find success with .setAllowedOriginsPattern("*").
See the following documentation for more stricter patterns.
Related
I am sending a HTTPS request which needs a Bearer token. I have added a Header Manager to my HTTP request in JMeter and defined NAMEand VALUE in the Header Manager as Authorization and "Bearer xxxxyxyxyxz" respectively.
The request is running for 21 seconds each time and then its failed with below text
org.apache.http.conn.HttpHostConnectException: Connect to abcd.uat.xyz.com:443 [abcd.uat.xyz.com/11.222.250.10] failed: Connection timed out: connect.
Am I sending the bearer token in right way with Header Manager or is there some other way to send this kind of requests?
Note: Its(The same request and Bearer token) working perfectly in Postman and I am getting the correct response as well.
The issue is resolved after adding Proxy Server details to the request. I have added those in Advanced section of HTTP request.
In Postman, the tool using default system proxy settings, hence working without any issues but when it comes to Jmeter we need to add Proxy Server details explicitly.
Based on the exception it seems, you are trying to access HTTP server with HTTPS request.
Make sure to confirm whether "abcd.uat.xyz.com:443" support https or not..If not simply make your request HTTP by updating Protocol field.
I am attempting to configure Swagger Authentication on my resource server, so that I can authenticate against my authorization server.
I have the resource and authorization servers separated. They are both starting up on my localhost with different ports.
Resource Server on port 8083
Authorization Server on port 8081
Whenever I attempt to "Authorize", there is a CORS issues.
I forked a project from another website to use as my testing grounds. Below is the forked project.
https://github.com/cbriarnold/oauth2-spring-boot-2.0.2
To test, once both the authorization server and resource server are started, do the following:
Go to http://localhost:8083/swagger-ui.html
Click on "Authorize" button
Click on "Authorize" button in dialog
If you have the developer tools open, you will see that there is the CORS error
Access to fetch at 'http://localhost:8081/oauth/token/' from origin 'http://localhost:8083' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
The http status code associated with the above CORS error was 302.
So, I modify the source to try to permitAll (I know this is undesired from a security perspective, but I am just trying to figure out what is going on). I will receive the same CORS error, but with the https status code of 403. Code is found on the following branch.
https://github.com/cbriarnold/oauth2-spring-boot-2.0.2/tree/permitAll
Any suggestions?
I think you need to add #CrossOrigin(/*your hitting server*/) on your controllers
it's a chrome security check to see if your are permitted to talk with that server or not it sends an option request at first and if you're permitted it send your original request which is accessing swagger
if you want to make sure if that is a cross origin problem or not try to send that request via postman because postman send your request direct without option request at first
I am using Postal PIN Code API for getting Post Office(s) details search by Postal PIN Code in angular 5 application. Below is the url of the external API :
http://postalpincode.in/api/pincode/{**PINCODE}**
I am issuing a GET request from the application but it is giving me below error :
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access
Although this request is working perfectly fine from browser and postman. I understand that we need to configure our server with cross-domain policies for accepting cross-domain request but this is an external API and I don't have control over it. How can I resolve this issue?
Thanks in Advance !!
Best: CORS header (requires server changes) CORS (Cross-Origin Resource Sharing) is a way for the server to say “I will accept your request, even though you came from a different origin.” This requires cooperation from the server – so if you can’t modify the server (e.g. if you’re using an external API), this approach won’t work.
Modify the server to add the header Access-Control-Allow-Origin: * to enable cross-origin requests from anywhere (or specify a domain instead of *). This should solve your problem.
2nd choice: Proxy Server If you can’t modify the server, you can run your own proxy. And this proxy can return the Access-Control-Allow-Origin header if it’s not at the Same Origin as your page.
Instead of sending API requests to some remote server, you’ll make requests to your proxy, which will forward them to the remote server.
Here are a few proxy options.
Ref: https://daveceddia.com/access-control-allow-origin-cors-errors-in-angular/
I am trying to access NIFI rest api of another server from my machine using ajax like below,
url:"https://serverip:port/nifi-api/",
{Authorization : 'Bearer ' + 'access token here'}
Getting Response to preflight request doesn't pass access control
check: No 'Access-Control-Allow-Origin' header is present on the
requested resource error.
Apache NiFi's API is designed to be invoked by a variety of clients, but in this case I think you are encountering a security precaution put in place by CORS (Cross-Origin Resource Sharing).
If a piece of code on server A (your non-NiFi machine) makes an AJAX request to a different origin (your NiFi instance), and the HTTP method is not GET (and some other minor restrictions), server A will first send a "preflight" request, which is HTTP OPTIONS, to the remote instance to determine what requests are valid. A server can reply to this with the header Access-Control-Allow-Origin: *, which is a wildcard value denoting it accepts requests from any origin. However, if you want to send credentials along with the request, the originating hostname must be explicitly listed in the response (Access-Control-Allow-Origin: https://serverA.com).
Because NiFi uses an embedded Jetty server to host the API, you may have to explicitly add a CrossOriginFilter as described here.
I've a server named, foo.com where my application is running and accessing a service available on a different domain bar.foo.com.
With the simple XHR request to bar.foo.com/getUsers, I'm getting an error saying, No 'Access-Control-Allow-Origin' header is present. I do not want to use JSONP as a fallback to cross-domain issue.
Is there any easy fix I can do on server level to enable cross subdomain requests while XHRing?
It appears that I need to set allow-cross-domain headers on server when a response is returned as suggested by #Blender above.
Or I can use xdomain library which uses PostMessage API to enable cors. With this I can even read iframe's content served by different domain.