Javalin: How to set Access-Control-Allow-Headers authorization

Created on 27 Dec 2017  路  17Comments  路  Source: tipsy/javalin

Is there any method (for Java) to allow custom headers like Authorization. Chrome and other browsers do pre-flight requests and if I get the headers on server-side I see this:

Image of the error

It doesn't send the authorization, just a request.

QUESTION
Source
picture ghost

All 17 comments

Allow how? You should be able to do everything header related with ctx.header() (?)

tipsy picture tipsy on 27 Dec 2017

Browsers like Chrome make a pre-flight request for certain "unsafe" headers.
MDN explanation
StackOverflow question.
These problems could be solved by allowing any cors-origin (that I enabled with enableCorsForAllOrigins) but the problems still keeps happening (if you make a direct request with e.g. rest client it works perfectly.)
I was just wondering but already solved my problem with a different aproach (without headers).

ghost picture ghost on 27 Dec 2017

Sorry @reworking, I forgot to follow up on this after my vacation. Could you elaborate on when it happens? For me it works fine from chrome.

tipsy picture tipsy on 2 Feb 2018

I'm experiencing the same issue. I am sending a sessionId cookie in a rest webservice from Javalin but with credentials:'include' in the post from the HTTP side saying that 'preflight failed' and I get an error in my browser indicating that I need to set Access-Control-Allow-Credentials: true in my headers to allow cookies to work cross origin.
https://quickleft.com/blog/cookies-with-my-cors/
But I can't find any way to set this in Javalin. I tried setting it with just ctx.header but that didn't work as I think the failure is in the 'preflight' before it even gets to my call.

CodeMaven picture CodeMaven on 15 Nov 2018

The error I get in chrome:
Access to fetch at 'http://localhost:8090/hudson/user/login' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

CodeMaven picture CodeMaven on 15 Nov 2018
👍1

Are you using the latest version (2.4.0) ?

tipsy picture tipsy on 15 Nov 2018

I'm currently using 2.3.0
compile 'io.javalin:javalin:2.3.0'
Are there new changes around this in 2.4.0? I will give that a go.

CodeMaven picture CodeMaven on 15 Nov 2018

There's a change to CORS if you're using the access manager.

tipsy picture tipsy on 15 Nov 2018

But it might be unrelated.

tipsy picture tipsy on 15 Nov 2018

Unfortunately my laptop battery has died so I can't test that until tomorrow. I did look at the changes for 2.4.0 and I don't think that they would affect me. I'm just using enableCorsForAllOrigins to enable CORS:
server = Javalin.create().port(port).enableCorsForAllOrigins().enableCaseSensitiveUrls();

CodeMaven picture CodeMaven on 15 Nov 2018

Looks like we might need to make some changes, yeah. Would you like to try creating a PR?

tipsy picture tipsy on 15 Nov 2018

I suppose I could. What change would we be talking about? I don't know the internals of Javelin, or HTTP in general. Would this be something like the existing enableCorsForAllOrigins() that adds "Access-Control-Allow-Credentials: true" into all of the headers? I'm also not a Kotlin devloper but I've been needing an excuse to learn. It looks pretty straight forward.

CodeMaven picture CodeMaven on 15 Nov 2018

You should just have to add an if inside the CorsUtil (I think that's what I named it).

tipsy picture tipsy on 15 Nov 2018

Hi, I'm not exactly sure what the change should be. I'm not too familliar with web stuff in general. I've added the followint line to CorsUtil:
ctx.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")

in the CorsOptionsHandler.handle function and it works perfectly. When I have that in then all my cookies work just fune. However, that doesn't follow the convention of the rest of the file and I'm not sure if always forcing that header to true is the correct behaviour in all cases. It certainly is for my case but I don't know about others. I tried this:

ctx.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS)?.let {
ctx.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS, it)

based on the other settings in that function, but ACCESS)CONTROL_ALLOW_CREDENTIALS is not present (reutrns null) on the request header coming in so then that ?.let doesn't do anything.

Can you give me some direction?
Thanks,
Troy.

CodeMaven picture CodeMaven on 27 Nov 2018

@CodeMaven I'm not familiar with this header myself, but from a quick read through of https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials it seems this is either something you want to enable or not. You could add Javalin#enableCorsCredentials, and then:

if (corsCredentialsEnabled) {
    ctx.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")
}

If you want to enable this now you could add a before:

```
app.before { ctx ->
if (ctx.method() == "OPTIONS") {
ctx.header(Header.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true")
}
}

tipsy picture tipsy on 27 Nov 2018

Thankyou, yes that's the way I was leaning. I was going to try doing the app.before but I wasn't sure how to trigger it in the preflight options. I will remove my hack and try your app.before for now in my code and then submit a PR for the above solution.
Cheers,
Troy

CodeMaven picture CodeMaven on 27 Nov 2018

For anyone landing here in 2020 - the issue has long been fixed, but make sure that enableCorsForAllOrigins() is done before starting the server, afterwards it has no effect.

silvanheller picture silvanheller on 8 May 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gane5h picture gane5h  路  3Comments
mikexliu picture mikexliu  路  3Comments
valtterip picture valtterip  路  5Comments
jonerer picture jonerer  路  4Comments
mkpaz picture mkpaz  路  4Comments