on 12-31-2013 11:50 AM
Hi,
While trying to consume data from a OData JSON URL from Hana in our local application, we encounter an error as below,
XMLHttpRequest cannot load http//someurl&$format=json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:XXXX' is therefore not allowed access.
Since this is clearly a Cross Origin issue, we tried adding CORS parameters as below in .xsaccess file (as in Hana Developer Guide) to allow Cross Origin requests, but we are still shown as same error as above.
"cors" : // Permit cross-origin browser requests [ { "enabled" : true } ]
After going through few posts/blogs, we understood below parameter needs to be enabled in the Response Header of Odata URL,
"Access-Control-Allow-Origin" = "*";
But we are unsure on which file/place we will need to add this parameter.
Please help us in understanding the below queries,
Thanks in advance!
Regards,
Ram
Adding the CORS entry to the .xsaccess file will create the header. However this only works for anonymous services. If you require authentication then CORS won't work because it doesn't add the header to the authentication response.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Thomas,
I am trying to consume Odata in UI5 Application but I am getting error "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXX.com:8000' is therefore not allowed access. The response had HTTP status code 401."
After looking at this post, I understand that CORS entry in .xsaccess file is not working my be because my service needs authentication.
So, I wanted your help on what needs to be done to fix this?
Regards,
Amit Singh
Hey Thomas,
Thanks for your response. I am on SP 08 as of now but we have SP 09 upgrade planned.
I have below code in my .xsaccess file. Do you think it will work on SP 09?
{
"authentication" : {"method" : "Basic"},
"exposed": true,
"cors" : { "enabled: true, "allowMethods": ["GET"], "allowOrigin": ["*"] }
}
And I would really appreciate if you can guide me on how to achieve this in SP 08?
Denis Descause 11-Apr-2015 10:15 (in response to Thomas Jung)
Hi Thomas ,
I'm having the exact same issue now in SP9 and it was working on SP8
here is my .xsaccess file:
{
"exposed" : true,
"authentication" :null,
"force_ssl" : true,
"prevent_xsrf" : false,
"anonymous_connection" : "mypackage.application::AnonConn",
"cors" :
{
"enabled" : true,
"allowMethods":["GET","POST","HEAD","OPTIONS"],
"allowOrigin":["my.server.me"],
"allowCredential":true,
"exposeHeaders": "access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization",
"allowHeaders":"Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control",
"maxAge":"3600"
}
}
I've added exposeHeaders and allowHeaders on SP9 because i got error message from chrome and other browser that :
Refused to set unsafe header "Access-Control-Request-Headers"
APIController.js:37 Refused to set unsafe header "Access-Control-Request-Method"
(index):1 XMLHttpRequest cannot load https://hana.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://my.server.me' is therefore not allowed access.
I tried XS Admin tool but I can only see the content of CORS parameters there , how do i edit them from there.
What's missing or wrong with my .xsaccess now on SP9 ?
thanks,
best
OK, I find the edit button and re-edited everything and save with same content, but nothing changed
CORS is still not enabled and i always have the error in chrome :
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://beta.flashbrand.me' is therefore not allowed access.
Same thing on Safari, and on Firefox i got the error :
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://my.server.me:4300/.... This can be fixed by moving the resource to the same domain or enabling CORS.
Is there anything we can try to see and understand what happens ?
thanks,
best
Denis
before we do so , could you please verify our parameters for cors are right ?
here is our .xsaccess file:
{
"exposed" : true,
"authentication" :null,
"force_ssl" : true,
"prevent_xsrf" : false,
"anonymous_connection" : "mypackage.application::AnonConn",
"cors" :
{
"enabled" : true,
"allowMethods":["GET","POST","HEAD","OPTIONS"],
"allowOrigin":["my.server.me"],
"allowCredential":true,
"exposeHeaders": "access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization",
"allowHeaders":"Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control",
"maxAge":"3600"
}
}
When debugging under firefox it looks like the preflight http OPTIONS request returns with status 200
but the response body is empty and then no other request is done
I assume if preflight was wrong then it will not return a status 200, right ?
Is there a trace we could set to see what happen ?
Do we need to have a user with special proviledge attached to the sqlcc anonymous to make it work ?
what is the process to open a support ticket?
many thanks
Denis
Hi Denis,
I am unable to resolve the CORS Issue in SP08. I have added the code similar to your's in .xsaccess file as specified below;
{
"exposed" : true,
"authentication" :null,
"force_ssl" : true,
"prevent_xsrf" : false,
"anonymous_connection" : "<Package Name.Sub Package.Sub Package >::AnonConn",
"cors" :
{
"enabled" : true,
"allowMethods":["GET"],
"allowOrigin":["10.XXX.X.XXX"],
"allowCredential":true,
"exposeHeaders": "access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization",
"allowHeaders":"Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control",
"maxAge":"3600"
}
}
And I have also create anonuser.xssqlcc file as
{
"description" : "Anon SQL connection"
}
Please guide me on what is that I am missing here.
Regards,
Amit Singh
did you declare a user for anonymous in the sqlcc admin page which has rights to access to your package ?:
https://yourhana.server.com:4300/sap/hana/xs/sqlcc
if you are only doing GET, then it may be easier to use JSONP, but JSONP does not support POST so if you need both then you need CORS.
Best
Denis
Hi Denis,
Were you able to progress further with resolving of the CORS issue in SPS09?
I had a working solution in SPS08 (AWS - Developer Edition), with .xsaccess:
{
"exposed":true,
"cors" : { "enabled" : true },
"authentication" : null,
"anonymous_connection" : "xxx.xxx.services::anonConn"
}
However no longer works in SPS09. As per indication from Thomas, rermoved the CORS entry from the .xsaccess, and set via xsadmin:
Although to be honest I'm not sure what I'm doing with setting of exposed headers, allowed headers etc. Thomas said "Adding the CORS entry to the .xsaccess file will create the header", so I imagine we have an additional manual configuration step within xsadmin? Would this be "exposed headers", what value?
Grateful for any pointers, cheers.
i manage to make it work :
here are the headers I'm using :
enter them directly in the XS Admin UI for SP9
in the CORS tab :
check the 'enable Cross Origin'
add you server in the 'Allowed Origin'
put the following in 'Allowed Headers'
Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control
and the following in 'Exposed Headers '
access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization
Maybe i don't need them all , but at least it works like that for me
then check ' Get, head, post,options' inthe 'allowed Methods'
then Make sure you have an AnonConn.xssqlcc and that in the admin interface in SQL COneection Configuration you set a login and password of a user that has access to your package. passwd was not used in SP8 but i guess this is now mandatory with SP9, if you don't set this it will not work
then i don't know which language you use (php, javascript) on the httprequest client side , but here is few line of javascript code which works for me :
var request=new XMLHttpRequest();
...
request.open(callType, url, true); // asynchronous call
request.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
request.withCredentials = false;
request.setRequestHeader("Accept", "application/json");
...
request.send(jsonBody); |
Setting too many headers on access-control on the request make it break especially with Chrome. It was easier to make it work with firefox.
I hope this will help you
best
Denis
Denis Descaus's Solution below worked for me.
I had CORS working on SPS 86 and then we moved to 96 and all the CORS requests broke.
His settings worked like a charm!
We added/replaced our ajax request attributes with the following:
contentType:"application/x-www-form-urlencoded",
xhrFields: {withCredentials: false},
headers : {"Accept" : "application/json"},
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear colleagues,
were you ever able to solve this issue?
XMLHttpRequest cannot load http://externalserver/SalesOrder/services/SalesOrder.xsodata/$metadata. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.
ODataMetadata.js:6 Uncaught (in promise) Object {message: "HTTP request failed", request: Object, response: Object, statusCode: 0, statusText: ""…}
I'm facing this while executing the code below:
var oModel = new sap.ui.model.odata.v2.ODataModel("http://externalserver/SalesOrder/services/SalesOrder.xsodata");
oView.setModel(oModel);
My .xsaccess file reads like this:
{
"exposed": true
}
If I make a common XMLHttpRequest to this address it works:
http://externalserver:8000/SalesOrder/services/index.html
My Hana XS app is configured like this:
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
i manage to make it work :
here are the headers I'm using :
enter them directly in the XS Admin UI for SP9
in the CORS tab :
check the 'enable Cross Origin'
add you server in the 'Allowed Origin'
put the following in 'Allowed Headers'
Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control
and the following in 'Exposed Headers '
access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization
Maybe i don't need them all , but at least it works like that for me
then check ' Get, head, post,options' inthe 'allowed Methods'
then Make sure you have an AnonConn.xssqlcc and that in the admin interface in SQL COneection Configuration you set a login and password of a user that has access to your package. passwd was not used in SP8 but i guess this is now mandatory with SP9, if you don't set this it will not work
then i don't know which language you use (php, javascript) on the httprequest client side , but here is few line of javascript code which works for me :
var request=new XMLHttpRequest();
...
request.open(callType, url, true); // asynchronous call
request.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
request.withCredentials = false;
request.setRequestHeader("Accept", "application/json");
...
request.send(jsonBody); |
Setting too many headers on access-control on the request make it break especially with Chrome. It was easier to make it work with firefox.
I hope this will help you
best
Denis
User | Count |
---|---|
89 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.