I am not sure if the issue is the technologies involved, or my understanding of the technologies.
I have an html5 application written in javascript and html hosted on an apache 2.2 server.
I have a java application written in java using jetty, guice, jackson, jersey that hosts a simple REST service.
Both applications run on the same box, one on port 80 (pure html5 application hosted on apache), the other on 8080 (pure java application hosted on jetty/guice)
I believe the answer is in the headers im sending back. The CORS headers tell a browser that you allow outside applications to hit your api. I cannot seem to figure out how to configure my Jetty, Guice server to return the correct CORS headers.
I am using an imbeded Jetty server so I do not have a web.xml file to add the headers with.
It also might be something to do with how the HTML5 application server (in this case apache 2.2) is serving the application.
The apache httpd.conf file has the entry:
LoadModule headers_module modules/mod_headers.so
<IFModule mod_headers>
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE, HEAD
Header add Access-Control-Allow-Headers: X-PINGOTHER
Header add Access-Control-Max-Age: 1728000
</IfModule>
in my guice servlet configuration I have the following:
public class RestModule extends ServletModule{
@Override
protected void configureServlets() {
bind(QuestbookService.class);
// hook Jersey into Guice Servlet
bind(GuiceContainer.class);
// hook Jackson into Jersey as the POJO <-> JSON mapper
bind(JacksonJsonProvider.class).in(Scopes.SINGLETON);
Map<String, String> guiceContainerConfig = new HashMap<String, String>();
guiceContainerConfig.put(ResourceConfig.PROPERTY_RESOURCE_FILTER_FACTORIES,
HttpStatusCodeMetricResourceFilterFactory.class.getCanonicalName());
serve("/*").with(GuiceContainer.class, guiceContainerConfig);
}
}
I think the problem is in my guice config since I don't have a place to set the response headers.
I am using an embedded jetty server and thus I figured dev mode would bypass the whole check, but I could be wrong.
Thank you for any advice.
In that case you can change the security policy in your Google Chrome browser to allow Access-Control-Allow-Origin. This is very simple: Create a Chrome browser shortcut. Right click short cut icon -> Properties -> Shortcut -> Target.
Enable CORS support on a REST API resourceSign in to the API Gateway console at https://console.aws.amazon.com/apigateway . Choose the API from the APIs list. Choose a resource under Resources. This will enable CORS for all the methods on the resource.
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
Just put one line in your code file
response.addHeader("Access-Control-Allow-Origin", "*");
Replace * with your http://www.yoursite.com if you want to allow only for particular domain
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With