Access-Control-Allow-Origin ATG Rest API

Question

I am building a Portal using angularjs and ATG Rest API, It is giving an Error When I am trying to get Session confirmation Number using API:rest/model/atg/rest/SessionConfirmationActor/getSessionConfirmationNumber

Error:XMLHttpRequest cannot load http://IPNUMBER:Port/rest/model/atg/rest/SessionConfirmationActor/getSessionConfirmationNumber. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

API is working fine in POSTMAN, and from the direct browser query. Please help me on this.

score 1 · Accepted Answer · answered May 26 '16 at 15:04

1

You best bet is to write a simple Pipeline servlet and add it to the RestPipeline configuration. The servlet would just inject the cors headers to all Rest requests.

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import atg.servlet.*;
import atg.servlet.pipeline.*;

public class CORSHeaderServlet extends InsertableServletImpl{
  public CORSHeaderServlet () {}
  public void service (DynamoHttpServletRequest request,
                       DynamoHttpServletResponse response)
       throws IOException, ServletException
  {
     //add headers to response.
    response.addHeader("Access-Control-Allow-Origin" ,"*");
    passRequest (request, response);
  }
}

answered May 26 '16 at 15:04

MrPsion

64
3

Thanks for replying, I am using ATG web-commerce and I have enabled REST API in that, not sure where to write Pipeline servlet, Hoping ATG will be having the same feature some where. – Syam Nath May 27 '16 at 04:50
I got one answer from Oracle forum but not sure how to do this, here is the link https://community.oracle.com/message/13287142#13287142, it says, **Extend any one DAF pipeline servlet (by using InsertableServletImpl) and set header as per business requirement.** – Syam Nath May 27 '16 at 04:54

score 0 · Answer 2 · edited May 23 '17 at 11:52

0

I didn't use this API, but problem is quite common. Have a look for example here (or any other source about CORS):

How does Access-Control-Allow-Origin header work?

If your web application and service have different domains (origins), this will not work until the service allows your application to request data. When you use Postman it works, because Postman does not send the header or uses origin, which is allowed. I don't really know how it works, but it does and it's normal.

If you are using locally hosted application just for testing purposes and both service and app will have the same origin, you have two easy solutions:

You can run web browser (e.g. Chrome) with web security disabled: Disable same origin policy in Chrome. This disables CORS and eliminates the problem.
You can install Chrome extension called Allow-Control-Allow-Origin: *. When it's enabled, it sends origin which will be allowed by the service.

However, if your service will have different origin, then you will have to configure it to allow your application to request it.

Edit

Note one thing. If you send a request different than GET or with some custom headers, browsers will firstly send an OPTIONS request. It's called preflight request. You're service will have to handle it in order to work properly.

edited May 23 '17 at 11:52

Community

1
1

answered May 26 '16 at 11:15

PJDev

951
4
18

I am using WEB LOGIC,Do I need to change anything in the ATG API configuration or WEB LOGIC to make this working? Because I have an android app also to connect to the same API. Other wise I would have host the Angular project in the same server :) – Syam Nath May 26 '16 at 11:22
As I said, I don't know the API, so I can't tell exactly what to do. I can say, that the goal is to make responses from service send header like: `Access-Control-Allow-Origin: *`. `*` allows all applications to request the service. Instead of `*` you can enter a concrete domain name. I guess there should be something in api's configuration to allow it. If not, you could probably add the header manually to each response (by using some inheritance for example). Or maybe use some filter - I'm only guessing now. Remember to add it also to OPTIONS request in order to make it work. – PJDev May 26 '16 at 11:29
But I am very new to weblogic please help me to tweak the weblogic security group or add Access-Control-Allow-Origin: * in the weblogic – Syam Nath May 26 '16 at 11:49
I'd really like to help you, but I'm not familiar with the tools you use as well. The only thing which came to my mind at the moment is to create a filter, which will add headers to each response in the service. Something like here: https://amodernstory.com/2014/12/27/using-cors-headers-with-java-example/. Here is more about filters in WebLogic server https://docs.oracle.com/cd/E13222_01/wls/docs81/webapp/filters.html – PJDev May 26 '16 at 12:27

Access-Control-Allow-Origin ATG Rest API

2 Answers2