Symantec Access Management

Expand all | Collapse all

No Access-Control-Allow-Origin header is present on the requested resource

  • 1.  No Access-Control-Allow-Origin header is present on the requested resource

    Broadcom Employee
    Posted Dec 12, 2017 12:55 AM

    I have question around “Access-Control-Allow-Origin” header.

     

    We are doing a POC for one of our customers in AWS environment.

    We have created a siteminder domain to protect a dummy page in SPS server.

    When accessing http://one.customer.com/benchmark from my laptop browser (I have entries in my hosts file to point to one.customer.com) I can see the login.fcc page

    I am seeing different domain ag.customer.com here because this is mentioned in the authentication scheme.

    Upon logging in with correct username and password, I could see

    URL is not found because it does not exist, and SMSESSION is generated which confirms successful authentication and authorization.

     

    Now we are trying to use the login page (hosted on spring boot framework) from client application and this is outside the AWS environment, to POST to login.fcc.

    The flow is like -- client will access the login page (hosted in app server) directly, with hardcoded values as below, populate the username and password and post it to login.fcc.

    Query Parameters:

    TYPE=33554433

    REALMOID=06-00084fe4-26b7-1a2a-90a5-03d2ac1f5a5a

    GUID=

    SMAUTHREASON=0

    METHOD=GET

    SMAGENTNAME=-SM-EUYsTjM%2bZK27tzRuPeJzwyYzmDMrDIw6VJ0obD3GvIivvWdrY4vbfwTt01CGKMbU

    TARGET=-SM-http%3a%2f%2fone%2ecustomer%2ecom%2fbenchmark

     

    Form Data:

    'USER' : 'agadmin@customer.com',

    'PASSWORD' : 'Mindtree@123',

    'SMENC' : 'UTF-8',

    'SMLOCALE': 'US-EN',

    'target' : 'http://one.customer.com/benchmark’

    'smquerydata' : '',

    'smauthreason' : '0',

    'smagentname' : '-SM-EUYsTjM+ZK27tzRuPeJzwyYzmDMrDIw6VJ0obD3GvIivvWdrY4vbfwTt01CGKMbU',

    'postpreservationdata' : ''

     

    We are seeing an issue with “Access-Control-Allow-Origin” header.

    We can see below header from browser:

    Also, client showed me the below code snippet where “Access-Control-Allow-Origin” is added to the header with ‘*’ value.

    Based on this we are clear that “Access-Control-Allow-Origin” header is added in the request.

    But not sure why we are still getting this.



  • 2.  Re: No Access-Control-Allow-Origin header is present on the requested resource
    Best Answer

    Posted Dec 12, 2017 09:21 AM

    Looking into a previous case it was resolved by tweaking the Web Server configuration.

     

    These cross domain XMLHttpRequest fails to reach the actual server 

     

     

    IMPORTANT NOTE: These settings are set on the site hosting not the site that is attempting to access them. The code snippet showed seems to be doing the reverse.

     

     

    If you control the server hosting and it's being hosted on IIS, you can control how the server handles cross origin requests by adding the following configuration to the Web.config.

    <system.webServer>
    <httpProtocol>
    <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
    </customHeaders>
    </httpProtocol>
    </system.webServer>

    http://gkb.wikidot.com/setting-cors-on-iis-8

    https://stackoverflow.com/questions/10143093/origin-is-not-allowed-by-access-control-allow-origin

    http://dev.nuclearrooster.com/2011/01/03/cors-with-apache-mod_headers-and-htaccess/

    https://stackoverflow.com/questions/12458444/enabling-cross-origin-resource-sharing-on-iis7

     


    For Apache web server:

    http://stackoverflow.com/questions/10143093/origin-is-not-allowed-by-access-control-allow-origin

    http://dev.nuclearrooster.com/2011/01/03/cors-with-apache-mod_headers-and-htaccess/

    For Apache just add below to https.conf

    <ifModule mod_headers.c>
    Header set Access-Control-Allow-Origin: *
    </ifModule>