I have followed the Angular 2 tour of Heroes tutorial to the T, and I have successfully implemented the displaying of the heroes (I renamed them to employees).
However, the tutorial uses an in memory mock web server. When I try to pass a localhost url (that displays json) from my spring-boot backend, I get this error:
XMLHttpRequest cannot load http://localhost:8080/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access
However, if I decide to use an online web api, for example :
https://jsonplaceholder.typicode.com/users
Then it works perfectly fine.
Any help would be greatly appreciated.
There was indeed duplicate questions (I posted since none of them seemed to have solved my problem). Turns out one of them did put me on the right track. I just had to put
#CrossOrigin(origin ="http://localhost:3000")
on top of my controller class in Spring. This enabled CORS in spring.
For more details, look here
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework
Related
I'm starting to design a RESTful server with Java, using the Httpserver class. I have a couple of tasks to do let's start with one:
The user must be able to discover the uri with a Read (GET) call to a predefined URI: "/index"
Like this: GET /index -> {/a, /b, /c}
everything is contained in a repository (a folder), how do I link that folder to / index?
probably it's a simple thing, but I don't know where to start, I accept advice and even sources that you can consult. Thank you
I created the server and it works, I leave you the code server codeserver code
I also created an index page where I put all the call handling for the index page into it
indexPage
There are a number of ways you can do this
HATEOAS describes a way to return links as part of a response - see here https://en.wikipedia.org/wiki/HATEOAS
you could also use OpenAPI to provide documentation for your apis to describe what apis are available https://swagger.io/solutions/api-documentation/
I downloaded the Azure AD with spring boot from https://github.com/microsoft/azure-spring-boot. Its all nice and works well as long as I run theazure-active-directory-spring-boot-sample using
mvn spring-boot:run
as shown in the README file.
I am trying just a basic real-life scenario where the angular/react app is running separately on a separate port using npm. The moment I separated them out the main Filter AADAuthenticationFilter is only invoked once on the first request where it does token verification and never again for subsequent requests.
I went around and configured an nginx proxy so that the domains of these two are now same
localhost:9999 and I redirect based on the next path like web for the npm and app for the Spring boot. This enabled the cookies to be available at every request.
This helps because what I learned is that Spring uses cookies to maintain a session. But ideally, the AAD filter should revalidate the token every request.
But if I add a property of azure.activedirectory.session-stateless=true to my application.properties, as mentioned in the filter's code to make it stateless and validate on every request. It expects roles as a different attribute in AD instead of it being a group of the user.
I also don't understand get the behaviour, when the js files are embedded within the spring app and run all this works perfectly fine and the filter is invoked at every request. But when I separate them out it just doesn't work.
Any help or pointers would be appreciated.
I realize that a lot more info may be required for someone to debug the above problem. But I was just able to solve this - at least found the problem that was causing it. Like I mentioned earlier the problem started when I separated the client and spring APIs. And since the client was not able to send back the cookies set by server, due to change in domains I had to put a proxy server.
What I found out later was that every GET request was always invoking the AAD filter. Even multiple requests. But other requests like POST, PUT were failing. I tried disabling the csrf config in spring WebSecurityConfig.java -->> http.csrf().disable();
This solved my problem and now I receive a request and all works as expected. Now I am trying to figure out how not to disable csrf completely.
Thanks
i am currently working on a project involving spring security (for OAuth2).
We are using the authorization_code flow.
However when the client hits the AuthorizationEndpoint (/oauth/authorize)
we get an "InsufficientAuthenticationException".
This may be due to an external system which is also involved in this flow which performs a redirect for the client, sending him to the /oauth/authorize endpoint.
From what I understand by looking through the debug logfile and from reading the source code, the principal is null which is used in the AuthorizationEndpoint.authorize method (specifically line 138, we are using spring-security-oauth2-2.0.7.RELEASE).
I understand what spring's problem is at this point (it does not "know" the user who is already authenticated with the system) but I do not understand which information specifically spring uses to identify the user (I guess this would be my central question)
I tried performing a GET against /oauth/authorize with the correct parameters and sending with the request the authorization header containing the bearer access token but spring always throws the InsufficientAuthenticationException. I'm hoping somebody can help me with this.
Best regards
p.s.
I am going to answer my own question here for the sake of documentation.
TJ basically pointed me in the right direction.
In my case, the InsufficientAuthenticationException stems from a slightly wrong setup of the whole stack. For delivering the content to users an apache is used which also serves as a reverse proxy, truncating the root context of the application deployed on the tomcat behind it.
The answer which finally solved my problem can be found here.
The problem actually was, that the session cookie contained an invalid path (the path attribute still contained the rootcontext, because tomcat has not been made aware that the apache in front of it is truncating the rootcontext to just "/".) So setting the path on tomcat side via setSessionCookie="/" in tomcat's context.xml did the trick.
So, when a redirect hit spring's oauth/authorize endpoint it did so with a session cookie containing the wrong path. because of this, for spring the request seemed to originate from an unauthenticated source, thus leaving me scratching my head about the InsufficientAuthenticationException.
Got my Glass last week. Working on running the Java version of the Quick Starter Glassware demo. I am having trouble with the OAuth callback. Do I need set this up myself? Or is there source included in the sample somewhere? Please help!
Clarification: I have set up my own project with the Java Quick Starter app's code, deployed it in EC2 and have set up the Client-ID and Client-secret in the Google APIs Console. I set the Redirect URI as http://<my server>/<my-app>/oauth2callback. When I visit the app in the browser, I get a 404 error that /oauth2callback is not found. I also tried setting the Redirect URI to just my app's root, i.e. http://<my server>/<my app>. Strangely, I still get the same error that /oauth2callback is not found.
Additional questions: Can you please clarify what the callback URL needs to be set to? Is the handler code already included in the quick-start-demo app or do I need to provide that code?
I think the problem is that you're not using a URL that actually maps to your server and servlet container. Try hitting the URLs directly from a browser and make sure they show up in your server and servlet container logs.
The callback url needs to be set to the oauth2callback servlet, relative to the path that leads to the server and servlet container. I don't know how you've set these up, so I can only guess, but it sounds like the <my app> portion isn't correct.
The handler code is included as part of the webapp. See the web.xml file to see the path mapping and the servlet object that it maps to. In this case, around line 53, oauth2callback is mapped to the com.google.glassware.AuthServlet class.
Update: See also the answer posted at Java Google glass starter project mapping in AWS EC2
I encountered a weird stuff and I've been struggling with it for a while now. Google AppEngine is processing my POST requests as GET. I've tried 3 different REST clients and they produced the same error (an html document that said GET is not available for the specified URL; but for God's sake I sent a POST!).
I'm using Java, and I've set the web.xml file correctly. Please note that this is not the first servlet in the project that responds to POST and others have worked properly. To complicate matters, this same servlet responds to POST normally when I run the app on my local development appengine server. I've cleaned and rebuilt the project several times and even changed the URL of the servlet but the problem still persists. Any help? Thanks.
The most common reason for this is that your POST is redirected for some reason, and redirects are always GET. What does the logging console say?
I was using the non secure url and it redirects POST to GET. Using https fixed this.