cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CORS Issue while consuming Hana's OData

Go to solution
former_member199763
Explorer

on ‎12-31-2013 11:50 AM

0 Kudos

Hi,

While trying to consume data from a OData JSON URL from Hana in our local application, we encounter an error as below,

XMLHttpRequest cannot load http//someurl&$format=json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:XXXX' is therefore not allowed access.

Since this is clearly a Cross Origin issue, we tried adding CORS parameters as below in .xsaccess file (as in Hana Developer Guide) to allow Cross Origin requests, but we are still shown as same error as above.

"cors" : // Permit cross-origin browser requests [ { "enabled" : true } ]

After going through few posts/blogs, we understood below parameter needs to be enabled in the Response Header of Odata URL,

"Access-Control-Allow-Origin" = "*";


But we are unsure on which file/place we will need to add this parameter.

Please help us in understanding the below queries,

  1. Do we need to add "Access-Control-Allow-Origin" = "*" to request header even of we enable CORS in ".xsaccess" file?
  2. If yes, in which file/place we need to add this package (since we're very much a DB resource we aren't sure on where to add in the Odata hana package) 

Thanks in advance!

Regards,

Ram

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

thomas_jung
Developer Advocate
Developer Advocate
‎12-31-2013 1:15 PM
0 Kudos

Adding the CORS entry to the .xsaccess file will create the header. However this only works for anonymous services.  If you require authentication then CORS won't work because it doesn't add the header to the authentication response. 

Show replies
Show replies
former_member199763
Explorer
‎01-06-2014 2:07 PM
0 Kudos

Thank you Thomas! Indeed adding CORS entry in .xsaccess file creates the header.

But we found adding the below parameter to getJson allows authentication in CORS of HANA ODATA services,

xhrFields: {withCredentials: true}

Regards,

Ram

former_member202186
Explorer
‎04-08-2015 9:44 PM
0 Kudos

Hi Thomas,

I am trying to consume Odata in UI5 Application but I am getting error "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXX.com:8000' is therefore not allowed access. The response had HTTP status code 401."

After looking at this post, I understand that CORS entry in .xsaccess file is not working my be because my service needs authentication.

So, I wanted your help on what needs to be done to fix this?

Regards,

Amit Singh

thomas_jung
Developer Advocate
Developer Advocate
‎04-08-2015 10:41 PM
0 Kudos

What version of HANA are you on?  Since SPS 09 the CORS support is greatly expanded. It has more configuration options and can be set to support the authentication request as well.

former_member202186
Explorer
‎04-08-2015 11:03 PM
0 Kudos

Hey Thomas,

Thanks for your response. I am on SP 08 as of now but we have SP 09 upgrade planned.

I have below code in my .xsaccess file. Do you think it will work on SP 09?

{

"authentication" :  {"method" : "Basic"},

"exposed": true,           

"cors" :   { "enabled: true, "allowMethods": ["GET"], "allowOrigin": ["*"] }

}

And I would really appreciate if you can guide me on how to achieve this in SP 08?

thomas_jung
Developer Advocate
Developer Advocate
‎04-08-2015 11:39 PM
0 Kudos

You should set the advanced CORS settings via the XSADMIN tool not in the XSACCESS file itself.

Former Member
‎04-11-2015 9:18 AM
0 Kudos

   Denis Descause Glass

       Denis Descause     11-Apr-2015 10:15  (in response to Thomas Jung)      

  

Hi Thomas ,

I'm having the exact same issue now in SP9 and it was working on SP8

here is my .xsaccess file:

{

    "exposed" : true,

"authentication" :null,

     "force_ssl" : true,   

     "prevent_xsrf" : false,   

      "anonymous_connection" : "mypackage.application::AnonConn",

    "cors" :

        { 

            "enabled" : true,

            "allowMethods":["GET","POST","HEAD","OPTIONS"],

            "allowOrigin":["my.server.me"],

            "allowCredential":true,

            "exposeHeaders": "access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization",

            "allowHeaders":"Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control",

            "maxAge":"3600"

        }

I've added exposeHeaders and allowHeaders on SP9 because i got error message from chrome and other browser that :

Refused to set unsafe header "Access-Control-Request-Headers"

APIController.js:37 Refused to set unsafe header "Access-Control-Request-Method"

(index):1 XMLHttpRequest cannot load https://hana.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://my.server.me' is therefore not allowed access.

I tried XS Admin tool but I can only see the content of CORS parameters there , how do i edit them from there.

What's missing or wrong with my .xsaccess now on SP9 ?

thanks,

best

thomas_jung
Developer Advocate
Developer Advocate
‎04-11-2015 1:06 PM
0 Kudos

In SPS09 you shouldn't maintain the CORS settings directly in the xsaccess file but only via XSADMIN.

>I tried XS Admin tool but I can only see the content of CORS parameters there , how do i edit them from there.

Do you have the edit button in the lower right side of the screen?

Former Member
‎04-11-2015 5:18 PM
0 Kudos

OK, I find the edit button and re-edited everything and save with same content, but nothing changed

CORS is still not enabled and i always have the error in chrome :

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://beta.flashbrand.me' is therefore not allowed access.

Same thing on Safari, and on Firefox i got the error :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://my.server.me:4300/.... This can be fixed by moving the resource to the same domain or enabling CORS.

Is there anything we can try to see and understand what happens ?

thanks,

best

Denis

thomas_jung
Developer Advocate
Developer Advocate
‎04-13-2015 12:34 PM
0 Kudos

If it was working on SPS08 and stopped on SPS09 and you've correctly edited the settings in XSACESS; then I suggest you open a support ticket on this issue.

Former Member
‎04-13-2015 3:47 PM
0 Kudos

before we do so , could you please verify our parameters for cors are right ?

here is our .xsaccess file:

{

    "exposed" : true,

"authentication" :null,

     "force_ssl" : true,   

     "prevent_xsrf" : false,   

      "anonymous_connection" : "mypackage.application::AnonConn",

    "cors" :

        { 

            "enabled" : true,

            "allowMethods":["GET","POST","HEAD","OPTIONS"],

            "allowOrigin":["my.server.me"],

            "allowCredential":true,

            "exposeHeaders": "access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization",

            "allowHeaders":"Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control",

            "maxAge":"3600"

        }

When debugging under firefox it looks like the preflight http OPTIONS request returns with status 200

but the response body is empty and then no other request is done

I assume if preflight was wrong then it will not return a status 200, right ?

Is there a trace we could set to see what happen ?

Do we need to have a user with special proviledge attached to the sqlcc anonymous to make it work ?

what is the process to open a support ticket?

many thanks

Denis

former_member202186
Explorer
‎04-13-2015 8:34 PM
0 Kudos

Hi Denis,

I am unable to resolve the CORS Issue in SP08. I have added the code similar to your's in .xsaccess file as specified below;

{

    "exposed" : true,

     "authentication" :null,

    "force_ssl" : true,

    "prevent_xsrf" : false,

    "anonymous_connection" : "<Package Name.Sub Package.Sub Package >::AnonConn",

    "cors" :

        {

            "enabled" : true,

            "allowMethods":["GET"],

            "allowOrigin":["10.XXX.X.XXX"],

            "allowCredential":true,

            "exposeHeaders": "access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization",

            "allowHeaders":"Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control",

            "maxAge":"3600"

        }

}

And I have also create anonuser.xssqlcc file as

{

"description" : "Anon SQL connection"

}

Please guide me on what is that I am missing here.

Regards,

Amit Singh

Former Member
‎04-13-2015 10:44 PM
0 Kudos

did you declare a user for anonymous in the sqlcc admin page which has rights to access to your package ?:

https://yourhana.server.com:4300/sap/hana/xs/sqlcc

if you are only doing GET, then it may be easier to use JSONP, but JSONP does not support POST so if you need both then you need CORS.

Best

Denis

former_member182500
Contributor
‎04-26-2015 6:01 PM
0 Kudos

Hi Denis,

Were you able to progress further with resolving of the CORS issue in SPS09?

I had a working solution in SPS08 (AWS - Developer Edition), with .xsaccess:

{

        "exposed":true,

         "cors" : { "enabled" : true },

        "authentication" : null,

        "anonymous_connection" : "xxx.xxx.services::anonConn"  

}

However no longer works in SPS09.  As per indication from Thomas, rermoved the CORS entry from the .xsaccess, and set via xsadmin:

Although to be honest I'm not sure what I'm doing with setting of exposed headers, allowed headers etc.  Thomas said "Adding the CORS entry to the .xsaccess file will create the header", so I imagine we have an additional manual configuration step within xsadmin?  Would this be "exposed headers", what value?

Grateful for any pointers, cheers.

Former Member
‎06-30-2015 9:42 AM
0 Kudos

i manage to make it work :

here are the headers I'm using :

enter them directly in the XS Admin UI for SP9

in the CORS tab :

check the 'enable Cross Origin'

add you server in the 'Allowed Origin'

put the following in 'Allowed Headers'

Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control

and the following in 'Exposed Headers '

access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization

Maybe i don't need them all , but at least it works like that for me

then check ' Get, head, post,options' inthe 'allowed Methods'

then Make sure you have an AnonConn.xssqlcc and that in the admin interface  in SQL COneection Configuration you set a login and password of a user that has access to your package. passwd was not used in SP8 but i guess this is now mandatory with SP9, if you don't set this it will not work

then i don't know which language you use (php, javascript) on the httprequest client side , but here is few line of javascript code which works for me :

var request=new XMLHttpRequest();

  ...

     request.open(callType, url, true); // asynchronous call

  

     request.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

 

     request.withCredentials = false;

     request.setRequestHeader("Accept", "application/json");

...

    request.send(jsonBody);

Setting too many headers on access-control on the request make it break especially with Chrome. It was easier to make it work with firefox.

I hope this will help you

best

Denis

Former Member
‎07-28-2015 12:27 AM
0 Kudos

Thanks Friend!
86 to 96 migration CORS broke.
Your recipe worked perfect.
Good Find!

Answers (2)

Answers (2)

Former Member
‎07-28-2015 12:27 AM
0 Kudos

Denis Descaus's Solution below worked for me.

I had CORS working on SPS 86 and then we moved to 96 and all the CORS requests broke.

His settings worked like a charm!

We added/replaced our ajax request attributes with the following:

contentType:"application/x-www-form-urlencoded",

xhrFields: {withCredentials: false},

headers : {"Accept" : "application/json"},

Show replies
Show replies
former_member233936
Explorer
‎05-25-2015 10:04 PM
0 Kudos

Dear colleagues,

were you ever able to solve this issue?

XMLHttpRequest cannot load http://externalserver/SalesOrder/services/SalesOrder.xsodata/$metadata. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

ODataMetadata.js:6 Uncaught (in promise) Object {message: "HTTP request failed", request: Object, response: Object, statusCode: 0, statusText: ""…}

I'm facing this while executing the code below:

var oModel = new sap.ui.model.odata.v2.ODataModel("http://externalserver/SalesOrder/services/SalesOrder.xsodata");

oView.setModel(oModel);

My .xsaccess file reads like this:

{

    "exposed": true

}


If I make a common XMLHttpRequest to this address it works:

http://externalserver:8000/SalesOrder/services/index.html

My Hana XS app is configured like this:

Thanks!

Show replies
Show replies
ann_zhang3
Explorer
‎06-30-2015 8:51 AM
0 Kudos

Hi Marcio,

Were you ever able to solve this issue? I also met the same issue, could you please guide?


Thanks

Former Member
‎06-30-2015 9:41 AM
0 Kudos

i manage to make it work :

here are the headers I'm using :

enter them directly in the XS Admin UI for SP9

in the CORS tab :

check the 'enable Cross Origin'

add you server in the 'Allowed Origin'

put the following in 'Allowed Headers'

Origin, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control

and the following in 'Exposed Headers '

access-control-allow-headers,access-control-allow-origin,access-control-expose-headers,authorization

Maybe i don't need them all , but at least it works like that for me

then check ' Get, head, post,options' inthe 'allowed Methods'

then Make sure you have an AnonConn.xssqlcc and that in the admin interface  in SQL COneection Configuration you set a login and password of a user that has access to your package. passwd was not used in SP8 but i guess this is now mandatory with SP9, if you don't set this it will not work

then i don't know which language you use (php, javascript) on the httprequest client side , but here is few line of javascript code which works for me :

var request=new XMLHttpRequest();

  ...

     request.open(callType, url, true); // asynchronous call

  

     request.setRequestHeader("Content-Type","application/x-www-form-urlencoded");

 

     request.withCredentials = false;

     request.setRequestHeader("Accept", "application/json");

...

    request.send(jsonBody);

Setting too many headers on access-control on the request make it break especially with Chrome. It was easier to make it work with firefox.

I hope this will help you

best

Denis

Ask a Question