Hi I am developing services in web api2 vs2015. Initially i had cors issue i fixed and http verbs like get,delete,put,post working fine in mozilla and internet explorer. I am getting errors in google chrome for put and delete request. I am not able to do put and delete in google chrome. This is my request and response values in chrome.
Request URL:http://192.168.0.213:8041/User_Creation/1019
Request Method:OPTIONS
Status Code:400 Bad Request
Remote Address:192.168.0.213:8041
**Response Headers**
view source
Cache-Control:no-cache
Content-Length:58
Content-Type:application/json; charset=utf-8
Date:Mon, 16 Jan 2017 10:07:04 GMT
Expires:-1
Pragma:no-cache
Server:Microsoft-IIS/8.5
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
**Request Headers**
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-GB,en-US;q=0.8,en;q=0.6
Access-Control-Request-Headers:
Access-Control-Request-Method:DELETE
Connection:keep-alive
Host:192.168.0.213:8041
Origin:http://192.168.0.213:8040
Referer:http://192.168.0.213:8040/usercreation/Index
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
I have below line of code in web.config
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="POST, PUT, DELETE, GET, OPTIONS" />
<add name="Access-Control-Allow-Headers" value="content-Type, accept, origin, X-Requested-With, Authorization, name" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
Am i missing anything here?
I am sending requesting delete http verb and in 3rd line i can see options verb. I am confused here. May i know how can i fix this issue? Thank you for your help.
Related
This is another CORS question. I have a weird issue.
I have an old application. i have access to inetpub but not the source code (only dlls and web.config).
So, before i make any POST call, there is a preflight call that is happening and somehow , the server is now allowing options to happen.
How do i make this work with just web.config or iis changes?
interestingly, Get call works. only post doesnt work.
I have added the following in Web.config of the api
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
in my test application, when i try to call the api, i am sending the following in the request headers
OPTIONS http://OldWebApiurl HTTP/1.1
Host: http://Oldwebapi.host
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://TestSite
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Access-Control-Request-Headers: accept, content-type
Accept: */*
Referer: http://testsite/page
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
How do i make this work with just web.config or iis changes?
I am afraid that this might not be possible with changes to those files only. For example if you are using ASP.NET Web API (which you seem to be using according to the tags used in your question) you might consult the following tutorial explaining the required changes you need to make to your source code in order to enable CORS.
So long story short, get the code of this web application from source control, add the config.EnableCors(); call to the bootstrapping section and decorate the controllers/actions that need to be accessible with CORS with the [EnableCors(...)] attribute. Then push back the changes you did in the source control, trigger a build and let the continuous delivery do the rest and deploy your changes to the target environment. Then you can enjoy CORS.
interestingly, Get call works. only post doesnt work.
That's perfectly normal, most common browsers simply do not make a pre-flight request for GET AJAX calls because those are considered safe - those are not supposed to modify any server side state so they are allowed.
I'm deploying an application in Google App Engine and I'm also using the Cloud Endpoint feature for REst call.
I use a custom domain to point on my application. As you probably know, Endpoint doesn't support custom domain. So my situation is this:
I open the page http://www.example.org
I do an ajax request to an Endpoint like https://my-example.appspot.com/_ah/api/service
Now the problem is: Everytime I do an ajax request to an Endpoint, a new Session is created!! How can I keep the session between requests? I inspected the responses from Endpoint, and I didn't find any reference to session cookie...
UPDATE 1
For the Ajax call I'm using JQuery.
$.post('_ah/api/user/v1/login', function() {
console.log('logged');
});
I now add this is for adding the withCredentials field.
$(document).ajaxSend(function(elm, xhr, s) {
xhr.withCredentials = true;
});
UPDATE 2
This is my request and the server response headers
Request
Accept:*/*
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Origin:http://www.example.org
Referer:http://www.example.org/game.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
X-CSRFToken:xkNZPouvfl2mRT0IKFZNB2xJpffaaK3UuYhhg5eoeRAiMqxaoQ14q93cv2xeRnYP
Response
access-control-allow-credentials:true
access-control-allow-origin:http://www.example.org
access-control-expose-headers:Content-Encoding,Content-Length,Content-Type,Date,Server
alternate-protocol:443:quic,p=1
cache-control:private, max-age=0
content-encoding:gzip
content-length:165
content-type:application/json; charset=UTF-8
date:Sun, 19 Apr 2015 12:40:49 GMT
expires:Sun, 19 Apr 2015 12:40:49 GMT
server:GSE
status:200
version:HTTP/1.1
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-xss-protection:1; mode=block
I need to write an ajax request, which will request an XML from REST service. I deployed locally a simple REST service, which returns an XML document.
I know about same origin policy, so I added Access-control-allow-origin: * to the response (or the same value like in Origin header in request). Then I tested my ajax request from a local html file and got same origin policy error.
I then tried to put this page into java web application, deployed it into tomcat and got the very same error. I've tested it in Chrome and Firefox.
It only works if I start Chrome with disabled web security. But it does not solve my problem.
That's the request, sending by ajax, which receives
**OPTIONS http://localhost:9198/helloworld Origin http://localhost:8081 is not allowed by Access-Control-Allow-Origin.**
For both cases. Whether it is an * in the Access-control-allow-origin or defined host.
Request URL:http://localhost:9198/helloworld
Request Method:OPTIONS
Status Code:200 OK
Request Headers:
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:accept, customheader, origin
Access-Control-Request-Method:GET
Connection:keep-alive
Host:localhost:9198
Origin:http://localhost:8081
Referer:http://localhost:8081/testRest/test.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36
Response Headers:
Allow:OPTIONS,GET,HEAD
Content-length:564
Content-type:application/vnd.sun.wadl+xml
Date:Tue, 04 Jun 2013 08:48:28 GMT
Last-modified:B, 04 8N= 2013 20:23:45 MAGST
Here is the request\response if i just put the address of my REST service into browser.
Request URL:http://localhost:9198/helloworld
Request Method:GET
Status Code:200 OK
Request Headers:
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding:gzip,deflate,sdch
Accept-Language:ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cache-Control:max-age=0
Connection:keep-alive
Cookie:srmuser=kbar
Host:localhost:9198
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.94 Safari/537.36
Response Headers:
Access-control-allow-origin:http://localhost:8081
Content-type:application/xml
Date:Tue, 04 Jun 2013 09:10:03 GMT
Transfer-encoding:chunked
Could anyone please help me?
Our client uses IE8, and its caching-hungry ways makes things difficult. To fix this I added a bean to prevent caching
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="cacheSeconds" value="0" />
</bean>
According to Chrome's (Very useful) developer tool, I can see that Response Headers are:
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:1070
Content-Type:text/html;charset=utf-8
Date:Tue, 27 Nov 2012 17:21:31 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Pragma:no-cache
However, now I'm getting a 406 response. Why would I be getting this?
The Request Headers are:
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:redacted
Host:localhost:8040
Referer:http://localhost:8040/redacted
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
X-Requested-With:XMLHttpRequest
I took a look at this answer, but I'm already using Jackson.
Found the answer. Once again it's a problem with how the beans are ordered. If I place the no-cache bean AFTER the jackson bean, then it works.
I have a Spring web service that requires HTTP Basic authentication and I'm trying to access it via Javascript.
My Spring security configuration has the following definitions:
<security:http create-session="stateless">
<security:http-basic />
<security:intercept-url pattern="/item/**"
access="ROLE_ADMIN,ROLE_USER" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="Aladdin" password="open sesame"
authorities="ROLE_USER, ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
And my Javascript client is setting the Authentication header accordingly. However I will always get 401 for a response:
Request URL:http://localhost:8080/item
Request Method:GET
Status Code:401 Full authentication is required to access this resource
Request
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Authorization:BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Cache-Control:no-cache
Connection:keep-alive
Cookie:JSESSIONID=x8foxdzzuc8g1cqnhxj34u4tv
Host:localhost:8080
Pragma:no-cache
Referer:http://localhost:8080/index.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
X-Requested-With:XMLHttpRequest
Response:
Cache-Control:must-revalidate,no-cache,no-store
Content-Length:1461
Content-Type:text/html;charset=ISO-8859-1
Server:Jetty(8.1.3.v20120416)
WWW-Authenticate:Basic realm="Spring Security Application"
Is there something missing from my request? I used Wikipedia's example for the user/password to make sure the encoding is not messed up - it matches with the example here
The problem was simpler than I thought - the Authorization header should say "Basic" not "BASIC". Just changing that fixed the entire thing.