Symantec Access Management

Expand all | Collapse all

No Access-Control-Allow-Origin header is present on the requested resource

Jump to Best Answer
  • 1.  No Access-Control-Allow-Origin header is present on the requested resource

    Broadcom Employee
    Posted 12-12-2017 12:55 AM

    I have question around “Access-Control-Allow-Origin” header.


    We are doing a POC for one of our customers in AWS environment.

    We have created a siteminder domain to protect a dummy page in SPS server.

    When accessing from my laptop browser (I have entries in my hosts file to point to I can see the login.fcc page

    I am seeing different domain here because this is mentioned in the authentication scheme.

    Upon logging in with correct username and password, I could see

    URL is not found because it does not exist, and SMSESSION is generated which confirms successful authentication and authorization.


    Now we are trying to use the login page (hosted on spring boot framework) from client application and this is outside the AWS environment, to POST to login.fcc.

    The flow is like -- client will access the login page (hosted in app server) directly, with hardcoded values as below, populate the username and password and post it to login.fcc.

    Query Parameters:









    Form Data:

    'USER' : '',

    'PASSWORD' : 'Mindtree@123',

    'SMENC' : 'UTF-8',

    'SMLOCALE': 'US-EN',

    'target' : '’

    'smquerydata' : '',

    'smauthreason' : '0',

    'smagentname' : '-SM-EUYsTjM+ZK27tzRuPeJzwyYzmDMrDIw6VJ0obD3GvIivvWdrY4vbfwTt01CGKMbU',

    'postpreservationdata' : ''


    We are seeing an issue with “Access-Control-Allow-Origin” header.

    We can see below header from browser:

    Also, client showed me the below code snippet where “Access-Control-Allow-Origin” is added to the header with ‘*’ value.

    Based on this we are clear that “Access-Control-Allow-Origin” header is added in the request.

    But not sure why we are still getting this.

  • 2.  Re: No Access-Control-Allow-Origin header is present on the requested resource
    Best Answer

    Posted 12-12-2017 09:21 AM

    Looking into a previous case it was resolved by tweaking the Web Server configuration.


    These cross domain XMLHttpRequest fails to reach the actual server 



    IMPORTANT NOTE: These settings are set on the site hosting not the site that is attempting to access them. The code snippet showed seems to be doing the reverse.



    If you control the server hosting and it's being hosted on IIS, you can control how the server handles cross origin requests by adding the following configuration to the Web.config.

    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />


    For Apache web server:

    For Apache just add below to https.conf

    <ifModule mod_headers.c>
    Header set Access-Control-Allow-Origin: *