Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5984

The XUI is unhappy when the CORS filter is enabled

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.0.0, 13.0.0, 14.0.0
    • Fix Version/s: None
    • Component/s: authentication, XUI
    • Labels:
    • Sprint:
      AM Sustaining Sprint 13, AM Sustaining Sprint 14
    • Support Ticket IDs:

      Description

      For some obscure reason, when the CORS filter is enabled in web.xml, the XUI starts misbehaving (even though the XUI has the same origin as the REST API), i.e. instead of rendering the page it displays an error message. I expect that this misbehavior can be corrected by adding all required headers in Allow-Headers headers in the CORS filter.

      It should be determined why the CORS filter affects the XUI at all.
      For cases when users want to use the XUI on a different origin (if that even makes sense), the documentation should list the necessary CORS filter options required to make the XUI work without any issues.

      Reproduction steps:

      Add the following to your tomcat/.../conf/web.xml file and restart tomcat.

      <filter-mapping>
          <filter-name>CORSFilter</filter-name>
          <url-pattern>/json/*</url-pattern>
        </filter-mapping>
        <filter>
          <filter-name>CORSFilter</filter-name>
          <filter-class&gt;org.forgerock.openam.cors.CORSFilter</filter-class&gt;
          <init-param>
            <param-name>methods</param-name>
            <param-value>GET,POST,PUT,PATCH,OPTIONS,DELETE</param-value>
          </init-param>
          <init-param>
            <param-name>exposeHeaders</param-name>
            <param-value>Cache-Control,Content-API-Version,Content-Length,Content-Type,Date,Expires,Pragma,Set-Cookie,X-Frame-Options</param-value>
          </init-param>
          <init-param>
            <param-name>headers</param-name>
            <param-value>Accept,Accept-API-Version,Accept-Encoding,Accept-Language,Cache-Control,Connection,Content-Length,Content-Type,Cookie,Host,Origin,Pragma,Referer,User-Agent,X-NoSession,X-Password,X-Requested-With,X-Username</param-value>
          </init-param>
          <init-param>
            <param-name>origins</param-name>
            <param-value>null,127.0.0.1:8080,http://127.0.0.1:8080,openam.example.com,http://openam.example.com,http://openam.example.com:8080,openam.example.com:8080</param-value>
          </init-param>
          <init-param>
            <param-name>allowCredentials</param-name>
            <param-value>true</param-value>
          </init-param>
        </filter>
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                zoltan.tarcsay Zoltan Tarcsay
              • Votes:
                6 Vote for this issue
                Watchers:
                17 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h