CORS request with Apache HTTP + Web Agent

Tagged: ,

This topic has 1 reply, 1 voice, and was last updated 5 years, 1 month ago by soma.

  • Author
    Posts
  • #12943
     soma
    Participant

    Hi,
    I wonder if you can help me. I have problem with HTTP DELETE CORS restapi request.

    My infrastructure looks like this:
    1) Apache Tomcat + JEE Policy Agent 3.5 on web.example.com:8080

    2) Apache HTTP 2.4 + Web Policy Agent 4.0.0 on api.example.com:80

    3) Application Server where the REST api is deployed (no OpenAM agent here) on middleware.example.com:8082

    4) OpenAM 13.0.0 on am.example.com:8083, one role for Apache Tomcat Agent and another for Apache HTTP Agent

    My request flow the following:

    1) log-in to OpenAM with demo user in order to have a valid cookie token
    2) open http://web.example.com:8080/cors-demo
    3) JavaScript makes HTTP DELETE request to http://api.example.com/api/1.0/hello
    4) Apache HTTP passes the request to http://middleware.example.com:8082/api/1.0/hello

    If the OpenAM agent is turned off (AmAgent Off in httpd.conf) then the request reaches the middleware. If I turn on the agent then it does not work.

    GET rest api requests work properly with this infrastructure.

    Here are the requests and responses:

    Use case 1: AmAgent Off

    1st request header

    
    OPTIONS /api/1.0/hello HTTP/1.1
    Host	api.example.com
    User-Agent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
    Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language	en-US,en;q=0.5
    Accept-Encoding	gzip, deflate
    Access-Control-Request-Method	DELETE
    Origin	http://web.example.com:8080
    Connection	keep-alive
    Cookies: <empty, as it is expected>
    

    1st response header

    
    HTTP/1.1 200 OK
    Date	Thu, 08 Sep 2016 15:20:25 GMT
    Allow	HEAD,DELETE,GET,OPTIONS
    Content-Type	text/html
    Content-Length	0
    Access-Control-Allow-Origin	http://web.example.com:8080
    Access-Control-Allow-Credentials	true
    Access-Control-Allow-Methods	GET, POST, DELETE, PUT, OPTIONS, HEAD
    Access-Control-Allow-Headers	Content-Type, Accept, X-Requested-With, Content-Encoding, Connection, Vary, Host, Accept-Encoding, origin, Referer, Cookie
    Keep-Alive	timeout=5, max=100
    Connection	Keep-Alive
    

    2nd request

    
    DELETE /api/1.0/hello HTTP/1.1
    Host	api.example.com
    User-Agent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
    Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language	en-US,en;q=0.5
    Accept-Encoding	gzip, deflate
    Referer	http://web.example.com:8080/cors-demo/
    Origin	http://web.example.com:8080
    Cookie	amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4Sfcy1DK5vDygbHKLevmaV_K9kkJR8-FI_Cb8.*AAJTSQACMDEAAlNLABM4NjE5ODA5MTgxMDk0NjgyNzU0AAJTMQAA*
    Connection	keep-alive
    

    2nd response

    
    HTTP/1.1 200 OK
    Date	Thu, 08 Sep 2016 15:20:25 GMT
    Vary	Accept-Encoding
    Content-Encoding	gzip
    Content-Type	application/json
    Content-Length	135
    Access-Control-Allow-Origin	http://web.example.com:8080
    Access-Control-Allow-Credentials	true
    Access-Control-Allow-Methods	GET, POST, DELETE, PUT, OPTIONS, HEAD
    Access-Control-Allow-Headers	Content-Type, Accept, X-Requested-With, Content-Encoding, Connection, Vary, Host, Accept-Encoding, origin, Referer, Cookie
    Keep-Alive	timeout=5, max=100
    Connection	Keep-Alive
    

    This request returns with the proper json response body, works properly.

    Use case 2: AmAgent On

    1st request

    
    OPTIONS /api/1.0/hello HTTP/1.1
    Host	api.example.com
    User-Agent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
    Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language	en-US,en;q=0.5
    Accept-Encoding	gzip, deflate
    Access-Control-Request-Method	DELETE
    Origin	http://web.example.com:8080
    Connection	keep-alive
    

    1st response

    
    HTTP/1.1 302 Found
    Date	Thu, 08 Sep 2016 15:25:52 GMT
    Server	Apache/2.4.23 (Unix) OpenAM Web Agent/4.0.0
    Location	http://am.example.com:8083/openam/UI/Login?goto=http%3A%2F%2Fapi.example.com%3A80%2api%F1.0%2Fhello
    Content-Length	319
    Keep-Alive	timeout=5, max=100
    Connection	Keep-Alive
    Content-Type	text/html; charset=iso-8859-1
    

    This response is okay as I expected because according to the specification OPTION request does not contains any cookies and params. But some CORS related header are missing from the response.

    2nd request

    
    DELETE /api/1.0/hello HTTP/1.1
    Host	api.example.com
    User-Agent	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
    Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language	en-US,en;q=0.5
    Accept-Encoding	gzip, deflate
    Referer	http://web.example.com:8080/cors-demo/
    Origin	http://web.example.com:8080
    Cookie	iPlanetDirectoryPro=AQIC5wM2LY4Sfcy1DK5vDygbHKLevmaV_K9kkJR8-FI_Cb8.*AAJTSQACMDEAAlNLABM4NjE5ODA5MTgxMDk0NjgyNzU0AAJTMQAA*
    

    2nd response

    
    empty
    

    Error in web browser because the 1st response does not contains the CORS related heder ingormations:

    
    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://api.example.com/api/1.0/hello.
    (Reason: CORS header 'Access-Control-Allow-Origin' missing).
    

    Question:
    Can I manage somehow the CORS OPTION response headers somehow with OpenAM? I guess that NO.

    Could you please help me to configure properly my Apache HTTP VirtualHost for use case 2? I need to add to the response header the Access-Control-Allow-* properties.

    Apache HTTP configuration:

    <VirtualHost api.example.com:80>
          LogLevel dumpio:trace7
          DumpIOInput On
          DumpIOOutput On
          
          ServerName api.example.com
          ServerAlias api.example.com
    
          DocumentRoot "/home/user/servers/apache-http/www/api.example.com"
          
          AmAgent On
          AmAgentConf /home/user/servers/apache-http/openam/agent/instances/agent_1/config/agent.conf
    
          <IfModule mod_headers.c>
    	  Header unset Server
    	  Header unset X-Powered-By
    	  Header set Server ""
    	  Header set Access-Control-Allow-Origin "http://web.example.com:8080"
    	  Header set Access-Control-Allow-Credentials "true"
    	  Header set Access-Control-Allow-Methods "GET, POST, DELETE, PUT, OPTIONS, HEAD"
    	  Header set Access-Control-Allow-Headers "Content-Type, Accept, X-Requested-With, Content-Encoding, Connection, Vary, Host, Accept-Encoding, origin, Referer, Cookie"
          </IfModule>
    
          ErrorLog "..."
          CustomLog "..." common
    
          ProxyPass /api http://middleware.example.com:8082/api
          ProxyPassReverse /api http://middleware.example.com:8082/api
    </VirtualHost>
    
    #12951
     soma
    Participant

    Additional info

    I can see this in the Apache HTTP log:

    
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): 231 bytes
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): HTTP/1.1 200 OK\r\nDate: Fri, 09 Sep 2016 05:07:16 GMT\r\nServer: Apache/2.4.23 (Unix) OpenAM Web Agent/4.0.0\r\nContent-Length: 499\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
    [client 127.0.0.1:33770] mod_dumpio: dumpio_out
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): 499 bytes
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (data-HEAP): <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>200 OK</title>\n</head><body>\n<h1>OK</h1>\n<p>The server encountered an internal error or\nmisconfiguration and was unable to complete\nyour request.</p>\n<p>Please contact the server administrator at \n [email protected] to inform them of the time this error occurred,\n and the actions you performed just before this error.</p>\n<p>More information about this error may be available\nin the server error log.</p>\n</body></html>\n
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (metadata-EOS): 0 bytes
    [client 127.0.0.1:33770] mod_dumpio: dumpio_out
    [client 127.0.0.1:33770] mod_dumpio:  dumpio_out (metadata-EOR): 0 bytes
    [client 127.0.0.1:33770] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
    [remote 127.0.0.1:33770] mod_dumpio: dumpio_out
    [remote 127.0.0.1:33770] mod_dumpio:  dumpio_out (metadata-EOC): 0 bytes
    [client 127.0.0.1:33768] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
    [client 127.0.0.1:33768] mod_dumpio: dumpio_in - 70014
    [client 127.0.0.1:33768] mod_dumpio: dumpio_out
    [client 127.0.0.1:33768] mod_dumpio:  dumpio_out (metadata-FLUSH): 0 bytes
    [client 127.0.0.1:33768] mod_dumpio:  dumpio_out (metadata-EOC): 0 bytes
    

    Maybe I need to ask for the solution on Apache HTTP forum?

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?