3

From JavaScript I used:

xhr.setRequestHeader("Authorization", make_base_auth(username,password));

However the HTTP request doesn't have an Authorization header:

OPTIONS /restService/index?_=1362589672203 HTTP/1.1
Host: myappinheroku.herokuapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-MX,es-ES;q=0.8,es-AR;q=0.7,es;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://127.0.0.1:8081
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization,content-type
Connection: keep-alive

It seems that authentication is being ignored entirely. What is wrong? How do we enable authentication for CORS?

This is the server's response of above request:

HTTP/1.1 401 Full authentication is required to access this resource
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, authorization, accept, content-type, x-requested- with
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Server: Jetty(7.x.y-SNAPSHOT)
Set-Cookie: JSESSIONID=6smxjnlqelmc1lg98ain16wv7;Path=/
WWW-Authenticate: Basic realm="Ralph's Bait and Tackle"
Transfer-Encoding: chunked
Connection: keep-alive
Pacerier
90.4k112 gold badges386 silver badges649 bronze badges
asked Mar 6, 2013 at 17:24
2
  • How did you obtain the request and response? Try to take a look in Fiddler and compare them to a valid request. Commented Mar 6, 2013 at 17:31
  • 1
    @CodeCaster i get the requests with Firebug , a valid request send something like this : Authorization: Basic YXNkZjphZg== but my request send a global header : Access-Control-Request-Headers: authorization,content-type Commented Mar 6, 2013 at 17:37

1 Answer 1

7

The value * cannot be used for the Access-Control-Allow-Origin header when Access-Control-Allow-Credentials is true. You will need to set Access-Control-Allow-Origin to the value of the Origin itself (i.e. http://127.0.0.1:8081 in this case).

Also note that the auth credentials are not sent on the preflight request. They are only sent on the actual request. The preflight is only used to verify that the CORS request is allowed, it should not do any authentication itself.

answered Mar 6, 2013 at 17:34
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.