2

I have zuul server implemented which does the routing to all my microservices. I have a seperate UI project which is in angular. I am trying to make an AJAX call from the UI app to a specific microservices which routes through Zuul but I am getting this error.

XMLHttpRequest cannot load http://localhost:8006/user/v1/userassociations. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:63342' is therefore not allowed access. The response had HTTP status code 403.

But When I directly try to hit the api in local host which is hosted at http://localhost:4444/user/v1/userassociations it works perfectly fine. I have the below CORS configuration added to the actual api.

@Override
public void addCorsMappings(final CorsRegistry registry) {
    registry.addMapping("/**").allowedMethods("PUT", "GET", "DELETE", "OPTIONS", "PATCH", "POST");
}

The problem is only happening when i try to hit the api via zuul I tried to add the same configuration to Zuul but it is not working.

I know it is the same origin issue but there must be a solution our microservices are suppose to go public so anyone can make the request from any domain.

Below is the Working AJAX call:- if i change the url to http://localhost:8006/user/v1/userassociations which is via zuul i get the cross origin.

var service = {};
  service.userContextCall = function()
  {
    return $http({
      url:'http://localhost:4444/user/v1/userassociations',
      method: 'GET',
      headers: {'Content-Type':'application/json',
        'userContextId':'1234567890123456'}
    }).success(function(response){

      return response;
    }).error(function(error){

      return error;
    });

  };

  return service;

Header that Iam receiving for when i hit the api via Zuul.

Request URL:http://localhost:8006/user/v1/userassociations
Request Method:OPTIONS
Status Code:403 Forbidden
Remote Address:[::1]:8006
Response Headers
view source
Allow:GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length:20
Date:Tue, 23 Feb 2016 18:51:15 GMT
Server:Apache-Coyote/1.1
X-Application-Context:apigateway:8006
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, usercontextid
Access-Control-Request-Method:GET
Connection:keep-alive
Host:localhost:8006
Origin:http://localhost:63342
Referer:http://localhost:63342/icpAccountHolder/app/index.html
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36

Header when i direclty hit the api the working one.

Request URL:http://localhost:4444/user/v1/userassociations
Request Method:GET
Status Code:200 OK
Remote Address:[::1]:4444
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:63342
Content-Type:application/json;charset=utf-8
Date:Tue, 23 Feb 2016 18:54:19 GMT
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
Vary:Origin
X-Application-Context:userassociations-v1
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:localhost:4444
Origin:http://localhost:63342
Referer:http://localhost:63342/icpAccountHolder/app/index.html
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
userContextId:1234567890123456

Can anyone help me with this.

Grinish Nepal
  • 3,037
  • 3
  • 30
  • 49
  • There is more to CORS than just `allowed methods`. Copy sample of headers being returned. Likely missing some – charlietfl Feb 23 '16 at 18:47
  • added the headers for both scenarios when i directly hit the api and when via zuul. – Grinish Nepal Feb 23 '16 at 18:56
  • definitely missing `Access-Control-Allow-Origin` and probably need `Access-Control-Allow-Credentials` also – charlietfl Feb 23 '16 at 19:00
  • yah i saw that too that should be taken care by the spring app in my case Zuul i even added the configuration for it but it is still failing. I thought this was more of a java side issue than the actual ajax call. – Grinish Nepal Feb 23 '16 at 19:19

1 Answers1

3

The fix seems to be using the ANGEL.SR6 spring cloud version instead of BRIXTON. But In case you want to use Brixton this is what i wrote to override the CORS filter in Zuul.

 @Bean
 public CorsFilter corsFilter() {
     final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource= new UrlBasedCorsConfigurationSource();
     final CorsConfiguration corsConfig = new CorsConfiguration();
     corsConfig.setAllowCredentials(true);
     corsConfig.addAllowedOrigin("*");
     corsConfig.addAllowedHeader("*");
     corsConfig.addAllowedMethod("OPTIONS");
     corsConfig.addAllowedMethod("HEAD");
     corsConfig.addAllowedMethod("GET");
     corsConfig.addAllowedMethod("PUT");
     corsConfig.addAllowedMethod("POST");
     corsConfig.addAllowedMethod("DELETE");
     corsConfig.addAllowedMethod("PATCH");
     urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfig);
     return new CorsFilter(urlBasedCorsConfigurationSource);
 }
Grinish Nepal
  • 3,037
  • 3
  • 30
  • 49