You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Domenico Francesco Bruscino (Jira)" <ji...@apache.org> on 2022/11/11 05:25:00 UTC
[jira] [Comment Edited] (ARTEMIS-4027) Cannot access management API due to CORS problems (403)
[ https://issues.apache.org/jira/browse/ARTEMIS-4027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632075#comment-17632075 ]
Domenico Francesco Bruscino edited comment on ARTEMIS-4027 at 11/11/22 5:24 AM:
--------------------------------------------------------------------------------
[~daves] [~Gleydar] I'm not able to reproduce this issue with curl:
{code}
$ curl -v -X OPTIONS -H "Origin:http://localhost:8161" -u admin:admin http://localhost:8161/console/jolokia
* Trying 127.0.0.1:8161...
* Connected to localhost (127.0.0.1) port 8161 (#0)
* Server auth using Basic with user 'admin'
> OPTIONS /console/jolokia HTTP/1.1
> Host: localhost:8161
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.82.0
> Accept: */*
> Origin:http://localhost:8161
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 11 Nov 2022 05:19:23 GMT
< Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, private
< Pragma: no-cache
< Access-Control-Request-Method: GET, POST, PUT, DELETE
< Access-Control-Max-Age: 31536000
< Access-Control-Allow-Origin: http://localhost:8161
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' ; frame-src 'self'
< Access-Control-Allow-Credentials: true
< Content-Length: 0
<
* Connection #0 to host localhost left intact
{code}
Actually, seems that jolokia handles CORS preflight requests, see https://github.com/rhuss/jolokia/blob/v1.7.0/agent/core/src/main/java/org/jolokia/http/AgentServlet.java#L327
Could you dump your OPTIONS request?
was (Author: brusdev):
[~daves] I'm not able to reproduce this issue with curl:
{code}
$ curl -v -X OPTIONS -H "Origin:http://localhost:8161" -u admin:admin http://localhost:8161/console/jolokia
* Trying 127.0.0.1:8161...
* Connected to localhost (127.0.0.1) port 8161 (#0)
* Server auth using Basic with user 'admin'
> OPTIONS /console/jolokia HTTP/1.1
> Host: localhost:8161
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.82.0
> Accept: */*
> Origin:http://localhost:8161
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 11 Nov 2022 05:19:23 GMT
< Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate, private
< Pragma: no-cache
< Access-Control-Request-Method: GET, POST, PUT, DELETE
< Access-Control-Max-Age: 31536000
< Access-Control-Allow-Origin: http://localhost:8161
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; connect-src 'self' ; frame-src 'self'
< Access-Control-Allow-Credentials: true
< Content-Length: 0
<
* Connection #0 to host localhost left intact
{code}
Actually, seems that jolokia handles CORS preflight requests, see https://github.com/rhuss/jolokia/blob/v1.7.0/agent/core/src/main/java/org/jolokia/http/AgentServlet.java#L327
Could you dump your OPTIONS request?
> Cannot access management API due to CORS problems (403)
> -------------------------------------------------------
>
> Key: ARTEMIS-4027
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4027
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: API
> Affects Versions: 2.25.0
> Reporter: daves
> Priority: Major
> Attachments: artemis.log, consoleError.JPG, etc.zip, f1.JPG, f2.JPG, options.JPG
>
>
> I try to access the management API from a client app running in chrome.
> This does not work because the preflight check fails.
> OPTIONS request:
>
> {code:java}
> fetch("http://localhost:8161/console/jolokia/?maxDepth=7&maxCollectionSize=50000&ignoreErrors=false&canonicalNaming=false", {
> "headers": {
> "accept": "*/*",
> "accept-language": "en-US,en;q=0.9",
> "sec-fetch-dest": "empty",
> "sec-fetch-mode": "cors",
> "sec-fetch-site": "cross-site"
> },
> "referrerPolicy": "strict-origin-when-cross-origin",
> "body": null,
> "method": "OPTIONS",
> "mode": "cors",
> "credentials": "omit"
> });
>
> {code}
>
> The request fails with a 403 not authenticated... which is strange since preflight checks must not be authenticated.
> !options.JPG!
>
> I tried to configure CORS in the jolokia-access.xml file like so:
>
>
> {code:java}
> <restrict>
> <cors>
> <!-- Allow cross origin access from localhost ... -->
> <allow-origin>*://*</allow-origin>
> <!-- Options from this point on are auto-generated by Create.java from the Artemis CLI -->
> <!-- Check for the proper origin on the server side, too -->
> <strict-checking />
> </cors> </restrict>{code}
>
>
> I also tried to specify the URL and port of my application explicitly. But this did not work either.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)