Related
Mod note: This question is about why XMLHttpRequest/fetch/etc. on the browser are subject to the Same Access Policy restrictions (you get errors mentioning CORB or CORS) while Postman is not. This question is not about how to fix a "No 'Access-Control-Allow-Origin'..." error. It's about why they happen.
Please stop posting:
CORS configurations for every language/framework under the sun. Instead find your relevant language/framework's question.
3rd party services that allow a request to circumvent CORS
Command line options for turning off CORS for various browsers
I am trying to do authorization using JavaScript by connecting to the RESTful API built-in Flask. However, when I make the request, I get the following error:
XMLHttpRequest cannot load http://myApiUrl/login.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'null' is therefore not allowed access.
I know that the API or remote resource must set the header, but why did it work when I made the request via the Chrome extension Postman?
This is the request code:
$.ajax({
type: 'POST',
dataType: 'text',
url: api,
username: 'user',
password: 'pass',
crossDomain: true,
xhrFields: {
withCredentials: true,
},
})
.done(function (data) {
console.log('done');
})
.fail(function (xhr, textStatus, errorThrown) {
alert(xhr.responseText);
alert(textStatus);
});
If I understood it right you are doing an XMLHttpRequest to a different domain than your page is on. So the browser is blocking it as it usually allows a request in the same origin for security reasons. You need to do something different when you want to do a cross-domain request.
When you are using Postman they are not restricted by this policy. Quoted from Cross-Origin XMLHttpRequest:
Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.
WARNING: Using Access-Control-Allow-Origin: * can make your API/website vulnerable to cross-site request forgery (CSRF) attacks. Make certain you understand the risks before using this code.
It's very simple to solve if you are using PHP. Just add the following script in the beginning of your PHP page which handles the request:
<?php header('Access-Control-Allow-Origin: *'); ?>
If you are using Node-red you have to allow CORS in the node-red/settings.js file by un-commenting the following lines:
// The following property can be used to configure cross-origin resource sharing
// in the HTTP nodes.
// See https://github.com/troygoode/node-cors#configuration-options for
// details on its contents. The following is a basic permissive set of options:
httpNodeCors: {
origin: "*",
methods: "GET,PUT,POST,DELETE"
},
If you are using Flask same as the question; you have first to install flask-cors
pip install -U flask-cors
Then include the Flask cors package in your application.
from flask_cors import CORS
A simple application will look like:
from flask import Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(app)
#app.route("/")
def helloWorld():
return "Hello, cross-origin-world!"
For more details, you can check the Flask documentation.
Because
$.ajax({type: "POST" - calls OPTIONS
$.post( - calls POST
Both are different. Postman calls "POST" properly, but when we call it, it will be "OPTIONS".
For C# web services - Web API
Please add the following code in your web.config file under the <system.webServer> tag. This will work:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
Please make sure you are not doing any mistake in the Ajax call.
jQuery
$.ajax({
url: 'http://mysite.microsoft.sample.xyz.com/api/mycall',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
type: "POST", /* or type:"GET" or type:"PUT" */
dataType: "json",
data: {
},
success: function (result) {
console.log(result);
},
error: function () {
console.log("error");
}
});
Note: If you are looking for downloading content from a third-party website then this will not help you. You can try the following code, but not JavaScript.
System.Net.WebClient wc = new System.Net.WebClient();
string str = wc.DownloadString("http://mysite.microsoft.sample.xyz.com/api/mycall");
Deep
In the below investigation as API, I use http://example.com instead of http://myApiUrl/login from your question, because this first one working. I assume that your page is on http://my-site.local:8088.
NOTE: The API and your page have different domains!
The reason why you see different results is that Postman:
set header Host=example.com (your API)
NOT set header Origin
Postman actually not use your website url at all (you only type your API address into Postman) - he only send request to API, so he assume that website has same address as API (browser not assume this)
This is similar to browsers' way of sending requests when the site and API has the same domain (browsers also set the header item Referer=http://my-site.local:8088, however I don't see it in Postman). When Origin header is not set, usually servers allow such requests by default.
This is the standard way how Postman sends requests. But a browser sends requests differently when your site and API have different domains, and then CORS occurs and the browser automatically:
sets header Host=example.com (yours as API)
sets header Origin=http://my-site.local:8088 (your site)
(The header Referer has the same value as Origin). And now in Chrome's Console & Networks tab you will see:
When you have Host != Origin this is CORS, and when the server detects such a request, it usually blocks it by default.
Origin=null is set when you open HTML content from a local directory, and it sends a request. The same situation is when you send a request inside an <iframe>, like in the below snippet (but here the Host header is not set at all) - in general, everywhere the HTML specification says opaque origin, you can translate that to Origin=null. More information about this you can find here.
fetch('http://example.com/api', {method: 'POST'});
Look on chrome-console > network tab
If you do not use a simple CORS request, usually the browser automatically also sends an OPTIONS request before sending the main request - more information is here. The snippet below shows it:
fetch('http://example.com/api', {
method: 'POST',
headers: { 'Content-Type': 'application/json'}
});
Look in chrome-console -> network tab to 'api' request.
This is the OPTIONS request (the server does not allow sending a POST request)
You can change the configuration of your server to allow CORS requests.
Here is an example configuration which turns on CORS on nginx (nginx.conf file) - be very careful with setting always/"$http_origin" for nginx and "*" for Apache - this will unblock CORS from any domain (in production instead of stars use your concrete page adres which consume your api)
location ~ ^/index\.php(/|$) {
...
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' "$http_origin"; # DO NOT remove THIS LINES (doubled with outside 'if' above)
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Max-Age' 1728000; # cache preflight value for 20 days
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'My-First-Header,My-Second-Header,Authorization,Content-Type,Accept,Origin';
add_header 'Content-Length' 0;
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
}
Here is an example configuration which turns on CORS on Apache (.htaccess file)
# ------------------------------------------------------------------------------
# | Cross-domain Ajax requests |
# ------------------------------------------------------------------------------
# Enable cross-origin Ajax requests.
# http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
# http://enable-cors.org/
# <IfModule mod_headers.c>
# Header set Access-Control-Allow-Origin "*"
# </IfModule>
# Header set Header set Access-Control-Allow-Origin "*"
# Header always set Access-Control-Allow-Credentials "true"
Access-Control-Allow-Origin "http://your-page.com:80"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "My-First-Header,My-Second-Header,Authorization, content-type, csrf-token"
Applying a CORS restriction is a security feature defined by a server and implemented by a browser.
The browser looks at the CORS policy of the server and respects it.
However, the Postman tool does not bother about the CORS policy of the server.
That is why the CORS error appears in the browser, but not in Postman.
The error you get is due to the CORS standard, which sets some restrictions on how JavaScript can perform ajax requests.
The CORS standard is a client-side standard, implemented in the browser. So it is the browser which prevent the call from completing and generates the error message - not the server.
Postman does not implement the CORS restrictions, which is why you don't see the same error when making the same call from Postman.
Why doesn't Postman implement CORS? CORS defines the restrictions relative to the origin (URL domain) of the page which initiates the request. But in Postman the requests doesn't originate from a page with an URL so CORS does not apply.
Solution & Issue Origins
You are making a XMLHttpRequest to different domains, example:
Domain one: some-domain.com
Domain Two: some-different-domain.com
This difference in domain names triggers CORS (Cross-Origin Resource Sharing) policy called SOP (Same-Origin Policy) that enforces the use of same domains (hence Origin) in Ajax, XMLHttpRequest and other HTTP requests.
Why did it work when I made the request via the Chrome extension
Postman?
A client (most Browsers and Development Tools) has a choice to enforce the Same-Origin Policy.
Most browsers enforce the policy of Same-Origin Policy to prevent issues related to CSRF (Cross-Site Request Forgery) attack.
Postman as a development tool chooses not to enforce SOP while some browsers enforce, this is why you can send requests via Postman that you cannot send with XMLHttpRequest via JS using the browser.
For browser testing purposes:
Windows - Run:
chrome.exe --user-data-dir="C://Chrome dev session" --disable-web-security
The command above will disable chrome web security. So for example if you work on a local project and encounter CORS policy issue when trying to make a request, you can skip this type of error with the above command. Basically it will open a new chrome session.
You might also get this error if your gateway timeout is too short and the resource you are accessing takes longer to process than the timeout. This may be the case for complex database queries etc. Thus, the above error code can be disguishing this problem. Just check if the error code is 504 instead of 404 as in Kamil's answer or something else. If it is 504, then increasing the gateway timeout might fix the problem.
In my case the CORS error could be removed by disabling the same origin policy (CORS) in the Internet Explorer browser, see How to disable same origin policy Internet Explorer. After doing this, it was a pure 504 error in the log.
To resolve this issue, write this line of code in your doGet() or doPost() function whichever you are using in backend
response.setHeader("Access-Control-Allow-Origin", "*");
Instead of "*" you can type in the website or API URL endpoint which is accessing the website else it will be public.
Your IP address is not whitelisted, so you are getting this error.
Ask the backend staff to whitelist your IP address for the service you are accessing.
Access-Control-Allow-Headers
For me I got this issue for different reason, the remote domain was added to origins the deployed app works perfectly except one end point I got this issue:
Origin https://mai-frontend.vercel.app is not allowed by Access-Control-Allow-Origin. Status code: 500
and
Fetch API cannot load https://sciigo.herokuapp.com/recommendations/recommendationsByUser/8f1bb29e-8ce6-4df2-b138-ffe53650dbab due to access control checks.
I discovered that my Heroku database table does not contains all the columns of my local table after updating Heroku database table everything worked well.
It works for me by applying this middleware in globally:
<?php
namespace App\Http\Middleware;
use Closure;
class Cors {
public function handle($request, Closure $next) {
return $next($request)
->header('Access-Control-Allow-Origin', '*')
->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
->header('Access-Control-Allow-Headers', "Accept,authorization,Authorization, Content-Type");
}
}
We are running a service behind an nginx proxy so that:
http://service-post:8080/swagger-ui.html is routed to public address https://host.com/services/post/swagger-ui.html
Or to define from the other way:
When nginx receives request on https://host.com/services/post/swagger-ui.html, it strips the /services/post/ prefix and passes the request to the post service on /swagger-ui.html path.
Before setting up anything (with default SpringDoc configuration) I can correctly see the swagger docs on http://service-post:8080/swagger-ui.html.
To set the paths for the public address on host.com, I am using:
springdoc.api-docs.path: /services/post/api-docs
springdoc.swagger-ui.path: /services/post/swagger-ui.html
springdoc.swagger-ui.configUrl: /services/post/v3/api-docs/swagger-config
However it seems that this brakes it completely:
/swagger-ui.html, /api-docs and /v3/api-docs/swagger-config return 404 both for service-post:8080/* and https://host.com/services/post/*
Only thing that seems to work is https://host.com/services/post/swagger-ui/index.html which shows the petstore documentation.
We are not using Spring Boot, just Spring MVC of version 5.3.1.
So how do I set up to keep the handling of the original paths (eg. /api-docs), but performing the lookup on the prefixed path (/services/post/api-docs)?
In the end I completely ignore the default redirect:
swagger-ui.html -> `swagger-ui/index.html?url=/v3/api-docs
And implemented my own one:
docs -> swagger-ui/index.html?url=MY_PREFIX/v3/api-docs
This way I don't need to change anything and everything works with default settings.
It's all documented here:
https://springdoc.org/index.html#how-can-i-deploy-springdoc-openapi-ui-behind-a-reverse-proxy
If you are not using spring-boot, you can add the ForwardedHeaderFilter bean:
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/filter/ForwardedHeaderFilter.html
Edit
I can't really find a way to generate a secure URL from route name.
To get a full URL, I use
echo route('my_route_name');
But what to do, if I want a URL with https?
UPDATE: As pointed out in the comments, a simpler way of doing this would be adding URL::forceSchema('https'); for Laravel version between 4.2-5.3 or URL::forceScheme('https'); for version 5.4+ in the boot method of your AppServiceProvider file.
Old answer:
It's actually entirely possible and there's only one line of code needed to accomplish that.
Laravel doesn't check the presence of SSL by itself, it depends on Symfony. And there goes our key to making it believe that the current request is secure.
The thing is, we have to set the HTTPS server param to true and the easiest method is to paste the following code in the boot method of your AppServiceProvider:
$this->app['request']->server->set('HTTPS', true);
In my very case, I only need to force SSL in production, the local env should still work on http. This is how I force SSL only on production:
$this->app['request']->server->set('HTTPS', $this->app->environment() != 'local');
By the way, mind those terms, you may need them in the future.
Laravel 8
I recently resolved this by modifying this file:
app/Providers/AppServiceProvider.php
in the method boot() add the following:
URL::forceScheme('https');
Add the use in the top:
use Illuminate\Support\Facades\URL;
to work in your local environment you can leave it like this:
public function boot()
{
if(env('APP_ENV') !== 'local') {
URL::forceScheme('https');
}
}
Note: Don't forget to set your env variable APP_ENV with prod for the production file.
APP_ENV=prod
Actually turns out, that laravel doesn't care if url is secure or not, because it generates based on the current url. If you're on https page, route() will return secure url. If on http, then http:// url
The problem was, that Laravel didn't detect that https was enabled, which was due to faulty server configuration.
You can check if Laravel sees the current connection as https by calling Request::isSecure();
As I mentioned in a relevant question, I found 5 ways of how to generate secure URLs.
Configure your web server to redirect all non-secure requests to https. Example of a nginx config:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
Set your environment variable APP_URL using https:
APP_URL=https://example.com
Use helper secure_url() (Laravel5.6)
Add following string to AppServiceProvider::boot() method (for version 5.4+):
\Illuminate\Support\Facades\URL::forceScheme('https');
Implicitly set scheme for route group (Laravel5.6):
Route::group(['scheme' => 'https'], function () {
// Route::get(...)->name(...);
});
At the moment this way is not documented, but it works well.
I think there is only one way to do this.
To generate the secure URL to your named routes, you might want to pass in your route into the secure_url helper function.
secure_url(URL::route('your_route_name', [], false));
You can't really use the route helper function because it generates absolute URL (with http://) by default and it's http not the https version that you wanted
Laravel 5.x will generate secure URL via route() helper if it detects the incoming connection is secure. Problem usually happen if the app is hidden behind load balancer or proxy (e.g. Cloudflare) since the connection between app server and load balancer/proxy might not be secure.
I am using Laravel Forge + Cloudflare now and this is the easiest way I could find to enable app thinking incoming connection is secure (not sure about other proxy).
Generate self signed certificate (see https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs or http://www.selfsignedcertificate.com/)
In Forge panel, insert your private key and cert via Sites > your-site > SSL Certificates > Install Existing Certificate.
Activate
In CloudFlare panel, Crypto > SSL, choose “Full” (not strict)
Done (it will take few minutes for the change to get propagated)
In short, connection between client and Cloudflare is secured by Cloudflare's own SSL. Connection between app server and Cloudflare is protected via your generated cert (thus the app is seeing 'connection' as secure.
You can apply the same principle with other stacks.
Use secure_url:
secure_url(URL::route('your_route_name', [], false));
You will need to set URL::route to false in order to not return a full URL. Then use secure_url function generates a fully qualified HTTPS URL to the given path.
From the UrlGenerator interface you can use URL::route
string route(string $name, mixed $parameters = array(), bool $absolute = true)
Get the URL to a named route.
Parameters
string $name
mixed $parameters
bool $absolute
Return Value
string
https://laravel.com/api/5.4/Illuminate/Contracts/Routing/UrlGenerator.html
In most cases routes should be generated with the same scheme your site was loaded with. Laravel automatically detects if request has X-Forwarded-Proto header and uses it to decide which scheme to use in generated route URLs. If your site is behind reverse proxy then you should add reverse proxy IP address to list of trusted proxies. https://github.com/fideloper/TrustedProxy package helps to do this. It's included in Laravel 5.5. For example, my config/trustedproxy.php looks like:
<?php
return [
'proxies' => '*',
'headers' => [
]
];
I use it with nginx reverse proxy that has the following configuration:
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/example.com_access.log;
error_log /var/log/nginx/example.com_error.log;
client_max_body_size 50m;
location / {
proxy_pass http://localhost:8002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
Replace example.com with your domain. SSL certificates was provided by Let's Encrypt with certbot.
On laravel 5.5.*
You only need to add https on your .env file
as AppServiceProvider already had function that checks if your APP_URL or app.url on your config has https on it.
class AppServiceProvider extends ServiceProvider
{
public function boot()
{
\URL::forceRootUrl(\Config::get('app.url'));
if (str_contains(\Config::get('app.url'), 'https://')) {
\URL::forceScheme('https');
}
}
This is certainly old, but someone like me will dump over here one day.
In your .env file define the APP_URL to use https instead of using http. Because all laravel url are generated based on this variable.
APP_URL=https://example.com
and wherever you want you can just say
{{ URL::route('my.route', params) }}
Or
{{ route('my.route', params) }}
With make sure all the routes are generated with secure protocol, add in the boot method of AppServiceProvider class:
<?php
namespace App\Providers;
use Illuminate\Routing\UrlGenerator;
use Illuminate\Support\ServiceProvider;
class AppServiceProvider extends ServiceProvider
{
/**
* Bootstrap any application services.
*
* #return void
*/
public function boot(UrlGenerator $url)
{
if (config('app.production')) {
$url->forceScheme('https');
}
}
Just add your application domain with the https protocol in the APP_URL of your .env file.
APP_URL=https://example.com
Then run route:cache
For reference of future visitors:
The secure_url function doesn't correctly handle GET parameters. So, for example, if you want to convert the url that the user has visited into a secure url while retaining the GET fields, you need to use this:
secure_url(Request::path()).'?'.http_build_query(Input::all());
Particularly note the use of path() rather than url() - if you give it a full url, it doesn't replace the http at the start, making it efectively useless.
I came across this issue while trying to generate a route as form action in Blade using Laravel 5.4.
Then I hit upon secure_url(), so I tried
{{ secure_url(route('routename', $args)) }}
This still returned a non-secure URL. :-(
After digging through the code and adding some debug logs, I finally figured out that secure_url does not change the incoming url argument, if it's already an absolute URL (including the scheme).
Fortunately route has an absolute flag as the third argument, and returns a relative URL if $absolute is passed as false.
Assuming /a/{id}/b is a named route "a.b"
route('a.b', 1) : will return http://[domain]/a/1/b
route('a.b', 1, false) : will return /a/1/b
Joining the two I arrived at :
{{ secure_url(route('routename', $args, false)) }}
As expected it generated https://[domain]/routeXXX
:-)
I had a problem with redirect trailing slashes after 2 hours of looking for a bug, just need to remove
.htaccess
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
to
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
If you are using Load Balancer, Laravel will never have the actual schema available.
So use https://stackoverflow.com/a/65691937/6489768. Working with Laravel - 9.x
Place this in your filters.php file and everywhere will be forced to https while retaining URL parameters:
//force ssl
App::before(function () {
if(!Request::secure() && App::environment() != 'local')
{
$baseHost = Request::getHttpHost();
$requestUri = Request::getRequestUri();
$newLink = 'https://'.$baseHost.$requestUri;
return Redirect::to($newLink);
}});
According to the laravel documentation on the url() helper method.
If no path is provided, a Illuminate\Routing\UrlGenerator instance is
returned
So you can use the secure method of the UrlGenerator class in the following way:
echo url()->secure('my_route_name');
To generate a secure (https) route use the following built-in 'before' filter called 'auth':
For example:
Route::get('your-route', ['before' => 'auth', 'uses' => YourController#yourAction']);
Now when you output your link it will be prepended with 'https'
I'm trying to find out if a play 2 (with scala) app is running on http or https
I tried with routes.Application.index.absoluteURL(request), like this
def chatUri(username: String)(implicit request: RequestHeader): String = {
val uri = routes.Application.index.absoluteURL(request)
but I get the following error:
/home/sas/tmp/websocket-chat/app/controllers/Application.scala:51: overloaded method value absoluteURL with alternatives:
[error] (secure: Boolean)(implicit request: play.api.mvc.RequestHeader)java.lang.String <and>
[error] (play.mvc.Http.Request)java.lang.String
[error] cannot be applied to (play.api.mvc.RequestHeader)
[error] val rootUri = Uri(routes.Application.index.absoluteURL(request))
I tried to transform the RequestHeader into a Request, but I get the following error
val rootUri = Uri(routes.Application.index.absoluteURL(request.asInstanceOf[Request[Any]]))
(secure: Boolean)(implicit request: play.api.mvc.RequestHeader)java.lang.String <and>
[error] (play.mvc.Http.Request)java.lang.String
[error] cannot be applied to (play.api.mvc.Request[Any])
[error] val rootUri = Uri(routes.Application.index.absoluteURL(request.asInstanceOf[Request[Any]]))
Any idea how can I achieve it?
Must say I'm surprised about problems with getting absolute url in Scala, AFAIR in Java it works well, anyway... I doubt if it will help you to determine the protocol (edit: as #MariusSoutier wrote)
As there's no built-in support for SSL in Play 2 most probably you are using (or you should use) some HTTP server on front of your application, let's say Apache. There are some samples and posts describing the proccess:
Take a look at topic: How to config PlayFramework2 to support SSL? Nasir gives there a sample of configuring the Apache as a proxy for Play
There's also nice description of configuring Apache as a proxy (warning the posts describes the Play 1.x, however Apache part will be the same)
Finally you need to to set the proper headers which will be forwarded to your app
so after setting the headers (as showed in point 3) you'll be able to check it in your controller:
def index = Action { request =>
val proto = request.headers("X-FORWARDED-PROTO")
Ok("Got request [" + request + "] with schema: " + proto )
}
or the same in Java controller:
public static Result index() {
String proto = request().getHeader("X-FORWARDED-PROTO");
return ok("Got request [" + request() + "] with schema: " + proto);
}
First off, by creating an absolute URL, you cannot find out if the app is running on http or https - take a look at the method signature:
def absoluteURL (secure: Boolean = false)(implicit request: RequestHeader): String
That's right, you have to tell this method whether or not you want secure.
I think this is because Play was designed to working behind a reverse proxy which makes it transparent to use encrypted requests. That means Play shouldn't have to care about this. absoluteURL can only enforce https URLs, for example to make sure a login page uses https.
Depending on your reverse proxy, you can set a custom http header that tells you what is used. RequestHeader doesn't have the information.
I have been struggling with the following error the last couple of
days can you please help!
I generated my server and client code using the wsdl2java tool from a
wsdl 2.0 file.
When invoking the webservice I am getting the following error:
org.apache.axis2.AxisFault: The endpoint reference (EPR) for the
Operation not found is
/axis2/services/MyService/authentication/?username=Denise345&password=xxxxx
and the WSA Action = null
My service is displayed on the axis2 webpage with all available methods.
Here is the output from TcpMon
==============
Listen Port: 8090
Target Host: 127.0.0.1
Target Port: 8080
==== Request ====
GET /axis2/services/MyService/authentication/?username=Denise345&password=xxxxx
HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
SOAPAction: ""
User-Agent: Axis2
Host: 127.0.0.1:8090
==== Response ====
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: application/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 12 May 2011 15:53:20 GMT
Connection: close
12b
<soapenv:Reason xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Text xml:lang="en-US">The endpoint reference (EPR) for the
Operation not found is
/axis2/services/MyService/authentication/?username=Denise345&password=xxxxx
and the WSA Action = null</soapenv:Text></soapenv:Reason>
0
==============
I am using:
axis2-1.5.4
Tomcat 7.0.8
wsdl 2.0 file
Please help!
In my case it was caused by a wrong Content-Type in the HTTP POST. Setting it to text/xml solved the problem.
Try adding ?wsdl to the string.
As described by Eran Chinthaka at http://wso2.com/library/176/
If Axis2 engine cannot find a service and an operation for a message,
it immediately fails, sending a fault to the sender. If service not
found - "Service Not found EPR is " If
service found but not an operation- "Operation Not found EPR is and WSA Action = "
In your case the service is found but the operation not. The Axis2 engine uses SOAPAction in order to figure out the requested operation and, in your example, the SOAPAction is missing, therefore I would try to define the SOAPAction header
It happens because the source WSDL in each operation has not defined the SOAPAction value.
e.g.
<soap12:operation soapAction="" style="document"/>
His is important for axis server.
If you have created the service on netbeans or another, don't forget to set the value action on the tag #WebMethod
e.g. #WebMethod(action = "hello", operationName = "hello")
This will create the SOAPAction value by itself.
Action is null means that no Action in given SOAP Message (Request XML). You must set Action before SOAP call:
java.net.URL endpoint = new URL("<URL>"); //sets URL
MimeHeaders headers = message.getMimeHeaders(); // getting MIME Header
headers.addHeader("SOAPAction", "<SOAP Action>"); //add Action To Header
SOAPMessage response = soapConnection.call(<SOAPMessage>, endpoint); //then Call
soapConnection.close(); // then Close the connection
I had this same problem using curl to send a soap request. Solved it by adding "content-type: text/xml" to the http header.
I hope this helps someone.
This error is coming because while calling the service, it is not getting the WSDL file of your service.
Just check whether WSDL file of your service is there--> run server and from browser run axis 2 apps on local host and check the deployed services and click on your service, then it shows WSDL file of your service.....or check the service path in your client file.
I hope it may help you to resolve the problem.
This can be solved by disabling validation
<proxy>
<!-- . . . -->
<parameter name="disableOperationValidation">true</parameter>
</proxy>
Late answer but:
I see you do a GET - should be a POST ?
try removing the extra '/' after the operation name (authentication) when invoking through the client
/axis2/services/MyService/authentication?username=Denise345&password=xxxxx
It seems don't find wsdl file..
I've solved adding wsdlLocation parameter at javax.jws.WebService annotation
By removing cache wsdl-* files in /tmp folder, my problem was solved
see https://www.drupal.org/node/1132926#comment-6283348
be careful about permission to delete
I'm in ubuntu os
On Websphere Application Server, in the same situation, it helped deleting the Temp folders while the server was stopped.
I ran into the situation when the package of the service changed.
Open WSDL file and find:
<soap:operation soapAction="[actionNameIsHere]" style="document"/>
Add to the requests header [request send to service]:
'soapAction' : '[actionNameIsHere]'
This work for me.
For devs. using node-soap [ https://github.com/vpulim/node-soap ] - example:
var soap = require('soap');
var options = {
...your options...
forceSoap12Headers: true
}
soap.createClient(
wsdl, options,
function(err, client) {
if(err) {
return callBack(err, result);
}
client.addHttpHeader('soapAction', '[actionNameIsHere]');
...your code - request send...
});
I got this error because the SOAP request I was sending to the server was malformed and had an empty Body
In this case the error message from the server is misleading and can be solved changing the request content, without changing anything about operations, URLs, WSDL, etc