CORS and Web-Tier Secured Services

StephenWay · ‎08-13-2015

Hi Everyone!

I have a situation where my application will be required to access web-tiered services across different domains.

I have added the following to the web config of web adapter:

</customHeaders>

However, when testing in chrome, I receive the following error in console:

XMLHttpRequest cannot load <url to secured service>. the Access-Control-Allow-Origin header contains multiple values 'http://sub.domain.com,http://sub.domain.com' .http://sub.domain.com is therefore not allowed access.

I have checked everything, i have definitly only configured one header in the web.config. I am using the testing tool available on the enable cors site.

Against an unsecured sevrice, it works fine as we don't have to set the allow credentials header, but with secured services, it is not working.

Have also tried firefox, and i do not have IE available in this environment.

Thanks for anyone who can help!

Steve

JeffJacobson · ‎08-13-2015

Have you tried adding a remove to ensure there aren't duplicates from a higher level?

<customHeaders>
    <remove name="Access-Control-Allow-Origin" />
    <add name="Access-Control-Allow-Credentials" value="true" />
    <add name="Access-Control-Allow-Origin" value="http://sub.domain.com" />
</customHeaders>

StephenWay · ‎08-14-2015

Hi Jeff, thank you for replying, that is really useful to know.

Actually, the issue was to do with some inheritance crazy-ness going on with IIS.

However, it seems, that using web app builder, I am getting a 401 immediately - it is not even prompting for a username/password.

I feel like i am close, just not close enough!!

If anyone has any experience of CORS on web-tier secure services using Web App builder, I would appreciate.

Thanks,

Steve

ColeAndrews · ‎01-21-2016

Stephen, did you eventually have success on this?

GertConradie · ‎04-20-2016

Same question - I get the following from WAB:
The 'Access-Control-Allow-Origin' header contains multiple values 'https://localhost:3344, *', but only one is allowed. Origin 'https://localhost:3344' is therefore not allowed access.

Its a bit weird - I am very certain that this did not happen before, only notice it now when look back on something i worked n before. It seems to me the rest of the app/layers is fine.

The '*' is in my web.config of my arcgis server REST endpoint. If i take it out of there, then only one is left and it work. Unfortunately I can’t take it out of there to allow other clients access.

So is WAB always adding the header value, and if yes - can I stop it from doing it?

BillGrow · ‎04-20-2016

Hi all,

You may want to try implementing the ESRI resource proxy in your application: https://github.com/Esri/resource-proxy

Keep in mind, any time you use a referrer header origin for authentication, these are easily spoofed with simple 'modify header' tools such as this firefox extension: https://addons.mozilla.org/en-US/firefox/addon/modify-headers/

Any stored authentication, allowed by a referrer header, can be easily bypassed and open a pretty large security hole in your system. So, you'll still want to use some sort of token based, credential authentication with your secure services.

GertConradie · ‎04-21-2016

Thanks Bill

I have to ArcGIS endpoints - one secured and the other not.

server.com/arcgis/ (secured)
server.com/arcgis2/ (unsecured)

For the secured one, I already use the ESRI resource proxy - with no “The 'Access-Control-Allow-Origin' header contains multiple values” warnings.

No problems as well if I use the ESRI resource proxy with the unsecured one. - But then I could have secured everything / don’t over public access to some published services.

When one look at the dot.net version of the ESRI resource proxy – the function “private void copyHeaders” don’t exclude 'Access-Control-Allow-Origin' headers in the copy, which make me assume that:

WAB don’t add the header when a proxy is used. (make sense – it’s not a ‘client’ any more accessing the REST service)
WAB add the header when no proxy is used. Can I stop it from doing it, or should I take out the 'Access-Control-Allow-Origin' section (included below) in the web.config of my unsecured endpoint? That would stop other (none-WAB) JavaScript API applications from using it. (Unless a proxy is used from there.)

Would the WAB app config file attribute “authorizedCrossOriginDomains” be used?

</customHeaders>

</httpProtocol>

RobertScheitlin__GISP · ‎04-21-2016

Gert,

When dealing with esri tech support on a multi ArcGIS Server CORs issue recently I was told that it was the Web Adaptor that was adding the "Access-Control-Allow-Origin" to the header. FYI, it is not WAB that is doing this.

ColeAndrews · ‎04-21-2016

I can confirm this is well. When troubleshooting a connectivity issue between WAB Dev and AGS server, the browser was throwing No Access-Control-Allow-Origin headers in the developer tools, but esri support indicated that error is commonplace and can be ignored. I had found a thread a while back that also said this can be ignored, but can't seem to find it right now.

GertConradie · ‎04-21-2016

Thanks Robert, that help to focus my energy.

I played around with the WebAdaptor, add and remove crossdomain.xml & clientaccesspolicy.xml files wich I sort of knew will make no difference as well as trying to move the '<add name="Access-Control-Allow-Origin" value="*" />' to an IIS root folder location. No luck.

I will use the public services via the proxy then - I'm very hestant to tak ethe