0

I am trying to authenticate using MarkLogic. I am using xdmp:login method, it is working fine in query console of MarkLogic and Postman.

But in browser when I call login function of MarkLogic, it is throwing below error:

Error: XMLHttpRequest cannot load http://172.16.32.154:8000/v1/eval. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9001' is therefore not allowed access. The response had HTTP status code 405.

sideshowbarker
  • 62,215
  • 21
  • 143
  • 153
user8439599
  • 39
  • 2
  • 1
    Possible duplicate of [Response to preflight request doesn't pass access control check](https://stackoverflow.com/questions/35588699/response-to-preflight-request-doesnt-pass-access-control-check) – John-Philip Aug 16 '17 at 08:27
  • *The response had HTTP status code 405* indicates that the server is probably not configured to allow OPTIONS requests and respond to them. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests has details about the browser is doing here. But the gist of it is, the server needs to be configured to respond to OPTIONS request with a 200 or 204 and an empty response body and the right CORS Access-Control-Allow-\* response headers. – sideshowbarker Aug 16 '17 at 14:46

1 Answers1

2

The problem is having client-side JS downloaded from one place trying to make a request to a different place. That's the essential part of the Access-Control-Allow-Origin error.

It appears you are serving up some content from an app server on localhost:9001 (something other than MarkLogic?), then trying to hit http://172.16.32.154:8000 (MarkLogic). That suggests a problem with your architecture: your MarkLogic instance is available for anyone to directly hit. That turns out to be a poor idea from a security point of view.

What is the host at localhost:9001? One option is that the application server in MarkLogic could host whatever you're serving up from localhost:9001, as well as modules that manage the logic you're trying to send through /v1/eval.

Let's look at an example. Suppose you have a MarkLogic application server using the filesystem for modules (note that using a modules database is preferred). Under wherever you have the root for that application server, you could have:

  • js/
  • css/
  • index.html
  • api/

In the "api" directory, you can have an XQuery or JavaScript module called login.xqy or login.sjs that does whatever you're trying to send to /v1/eval. Make sense?

Dave Cassel
  • 8,070
  • 17
  • 34