I have question around “Access-Control-Allow-Origin” header.
We are doing a POC for one of our customers in AWS environment.
We have created a siteminder domain to protect a dummy page in SPS server.
When accessing http://one.customer.com/benchmark from my laptop browser (I have entries in my hosts file to point to one.customer.com) I can see the login.fcc page
I am seeing different domain ag.customer.com here because this is mentioned in the authentication scheme.
Upon logging in with correct username and password, I could see
URL is not found because it does not exist, and SMSESSION is generated which confirms successful authentication and authorization.
Now we are trying to use the login page (hosted on spring boot framework) from client application and this is outside the AWS environment, to POST to login.fcc.
The flow is like -- client will access the login page (hosted in app server) directly, with hardcoded values as below, populate the username and password and post it to login.fcc.
'USER' : 'email@example.com',
'PASSWORD' : 'Mindtree@123',
'SMENC' : 'UTF-8',
'target' : 'http://one.customer.com/benchmark’
'smquerydata' : '',
'smauthreason' : '0',
'smagentname' : '-SM-EUYsTjM+ZK27tzRuPeJzwyYzmDMrDIw6VJ0obD3GvIivvWdrY4vbfwTt01CGKMbU',
'postpreservationdata' : ''
We are seeing an issue with “Access-Control-Allow-Origin” header.
We can see below header from browser:
Also, client showed me the below code snippet where “Access-Control-Allow-Origin” is added to the header with ‘*’ value.
Based on this we are clear that “Access-Control-Allow-Origin” header is added in the request.
But not sure why we are still getting this.
Looking into a previous case it was resolved by tweaking the Web Server configuration.
These cross domain XMLHttpRequest fails to reach the actual server
IMPORTANT NOTE: These settings are set on the site hosting not the site that is attempting to access them. The code snippet showed seems to be doing the reverse.
If you control the server hosting and it's being hosted on IIS, you can control how the server handles cross origin requests by adding the following configuration to the Web.config.
<system.webServer><httpProtocol><customHeaders><add name="Access-Control-Allow-Origin" value="*" /><add name="Access-Control-Allow-Headers" value="Content-Type" /><add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" /></customHeaders></httpProtocol></system.webServer>
For Apache web server:
For Apache just add below to https.conf
<ifModule mod_headers.c>Header set Access-Control-Allow-Origin: *</ifModule>