1

On WebSphere Liberty I have a back end that run on https://localhost:9443/context-root/objects. It works and i can test my REST APIs from a browser or postman.

I coded a Web UI in Angular with Visual Studio Code. When i try to test ('> ng serve') with Crome localhost:4200 with the UI http calls of the REST API i get errors:

  1. server.xml without CORS settings 

    The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Response Headers

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin, content-type, accept, authorization 
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Origin:*
Access_Control_Max_Age:43200
Cache-Control:no-store, no-cache=set-cookie
Content-Length:284
Content-Type:application/json

  1. server.xml with CORS settings

    <cors domain="/context-root"
  allowedOrigins="http://localhost:4200"
  allowedMethods="GET, DELETE, POST, PUT"
  allowedHeaders="accept"
  allowCredentials="true"
  maxAge="3600" />

Error:

Failed to load https://localhost:9443/context-root/objects: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:4200, *', but only one is allowed. Origin 'http://localhost:4200' is therefore not allowed access.

Response headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin, content-type, accept, authorization
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Origin:http://localhost:4200
Access-Control-Allow-Origin:*
Access_Control_Max_Age:43200

I am not sure why i get double values in the Response Headers and why in particular i get 2 allow-origin. Is there a way around this? thanks

Andy Guibert
  • 41,446
  • 8
  • 38
  • 61
Stefania Axo
  • 127
  • 13
  • 2
    Do you have code in your web app that is setting CORS response headers? The fact you are seeing CORS headers without configuring CORS in Liberty suggests as much and explains why with Liberty CORS setup you are getting duplicate headers. – Alasdair Feb 07 '18 at 02:53
  • thank you @Alasdair for your reply. I did not code anything from the Web App to add CORS setting. Here is how the REST API is called: `this.http.get(requestURL,{withCredentials: true}) .catch(this.handleError);` – Stefania Axo Feb 07 '18 at 17:45
  • Here is what i found on package-lock.json that has the Cors setting for dev = true ` "requires": { "component-emitter": "1.2.1", "component-inherit": "0.0.3", "debug": "2.3.3", "engine.io-parser": "1.3.2", "has-cors": "1.1.0", "indexof": "0.0.1", "parsejson": "0.0.3", "parseqs": "0.0.5", "parseuri": "0.0.5", "ws": "1.1.2", "xmlhttprequest-ssl": "1.5.3", "yeast": "0.1.2" },` – Stefania Axo Feb 07 '18 at 17:46
  • "has-cors": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/has-cors/-/has-cors-1.1.0.tgz", "integrity": "sha1-XkdHk/fqmEPRu5nCPu9J/xJv/zk=", "dev": true }, – Stefania Axo Feb 07 '18 at 17:47
  • here is the General info on the Network tab on Crome Request URL: https://localhost:9443/context-root/objects Request Method:GET Status Code:200 OK Remote Address:127.0.0.1:9443 Referrer Policy:no-referrer-when-downgrade – Stefania Axo Feb 07 '18 at 17:48
  • I agree with @Alasdair that there must be a filter or other code in the backend application that is adding those CORS filters. Without CORS configuration Liberty does not add any CORS headers. – ArthurDM Feb 07 '18 at 21:24
  • yes you were both right i found the filter in the code of the REST API. ContainerResponseFilter class that was added to the Response . I removed and that fixed the problem. thank you :-) – Stefania Axo Feb 07 '18 at 21:50

1 Answers1

0

From the above comments to my answer came the solution.
There was a ContainerResponseFilter class that added programmatically the CORS settings all the times, either they were set in server.xml or not.
As a result each REST API call had them in all the Response .
I removed the filter class and that fixed the problem. thank you :-)

`

@Override
   public void filter( ContainerRequestContext requestContext,
         ContainerResponseContext responseContext )
         throws IOException
   {
      final int ACCESS_CONTROL_MAX_AGE_IN_SECONDS = 12 * 60 * 60;
      MultivaluedMap<String, Object> headers = responseContext.getHeaders();
      headers.add( "Access-Control-Allow-Credentials", "true" );
      headers.add( "Access-Control-Allow-Headers",
            "origin, content-type, accept, authorization" );
      headers.add( "Access-Control-Allow-Methods",
            "GET, POST, PUT, DELETE, OPTIONS, HEAD" );
      headers.add( "Access-Control-Allow-Origin", "*" );
      headers.add( "Access_Control_Max_Age",
            ACCESS_CONTROL_MAX_AGE_IN_SECONDS );
   }

`

Stefania Axo
  • 127
  • 13