Origin header value not allowed. Even though URL is allowed

I've looked at other questions on the site similar to this and despite doing those resolutions, my issue remains the same.

Side note, I also tried setHeader(clientOrigin)

I am using Spring Boot v1.2.7.RELEASE and The Spring Console is what is telling me that Origin Header Value not allowed. My client returns with a 403 forbidden.

CorsFilter

package app.config;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component
public class CorsFilter implements Filter {

    private final Logger log = LoggerFactory.getLogger(CorsFilter.class);

    public CorsFilter() {
        log.info("SimpleCORSFilter init");
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        String clientOrigin = request.getHeader("origin");
        response.addHeader("Access-Control-Allow-Origin", clientOrigin);
        response.setHeader("Access-Control-Allow-Methods", "POST, GET,  DELETE, PUT");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Accept, Content-Type, Origin, Authorization, X-Auth-Token");
        response.addHeader("Access-Control-Expose-Headers", "X-Auth-Token");

        if (request.getMethod().equals("OPTIONS")) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(request, response);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }

}

Request Header

Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:JSESSIONID=BDD1655C91FD8DD73A8A0B021BFFC0E7
Host:192.168.1.66:8080
Origin:http://192.168.1.66:8105
Referer:http://192.168.1.66:8105/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Response Headers

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Accept, Content-Type, Origin, Authorization, X-Auth-Token
Access-Control-Allow-Methods:POST, GET,  DELETE, PUT
Access-Control-Allow-Origin:http://192.168.1.66:8105
Access-Control-Expose-Headers:X-Auth-Token
Access-Control-Max-Age:3600
Cache-Control:no-store, no-cache, must-revalidate, max-age=0
Content-Length:0
Date:Sat, 28 Nov 2015 23:49:56 GMT
Server:Apache-Coyote/1.1

The call I am trying to make is a SocketJS call and its a get call. The following script is being called.

var socket = new SockJS($scope.siteUrl+'/connect?TOKEN='+$localstorage.get('X-AUTH-TOKEN-TRIVIA'));
    $scope.stompClient = Stomp.over(socket);
    $scope.stompClient.connect({"Authorization":"TOKEN" }, function(frame) {
        console.log('Connected: ' + frame);
        stompClient.subscribe($scope.siteUrl+'/socketupdate', function(greeting){
            $scope.activegame = JSON.parse(greeting.body).content;
        });
    });

As you can see, I am passing the token as a query string because for some strange reason SocketJS does not allow me to pass the X-AUTH-TOKEN via header.

My client server is however on a different port. I am building an app utilizing ionic which is a angular based framework.

I notice that the error comes from my WebSocketService

2015-11-29 03:22:32.417  WARN 33932 --- [nio-8080-exec-1] o.s.w.s.s.t.h.DefaultSockJsService       : Origin header value 'http://192.168.1.66:8105' not allowed.

would this mean I have to set something in the WebSocketConfig that will accept this ??

How do you fix origin is not allowed by Access-Control allow origin?

In that case you can change the security policy in your Google Chrome browser to allow Access-Control-Allow-Origin. This is very simple: Create a Chrome browser shortcut. Right click short cut icon -> Properties -> Shortcut -> Target.

How do you ensure CORS response header values are valid?

The CORS request requires that the server permit the use of credentials, but the server's Access-Control-Allow-Credentials header's value isn't set to true to enable their use. To fix this problem on the client side, revise the code to not request the use of credentials.

in your WebsocketConfig.java

@Override
public void registerStompEndpoints(StompEndpointRegistry stompEndpointRegistry) {
    stompEndpointRegistry.addEndpoint("/ws").setAllowedOrigins("*").withSockJS();
}

notice:

.setAllowedOrigins("*")

Origin header value not allowed. Even though URL is allowed

Tags:

java

spring

cross-domain

spring-boot

CorsFilter

Request Header

Response Headers

numerical25

People also ask

1 Answers

carfield

Recent Activity

Donate For Us

Origin header value not allowed. Even though URL is allowed

Tags:

java

spring

cross-domain

spring-boot

CorsFilter

Request Header

Response Headers

numerical25

People also ask

1 Answers

carfield

Related questions

Recent Activity

Donate For Us