Question Re: Still problems with Access-Control-Allow-Origin in Technology Q&A

Still problems with Access-Control-Allow-Origin

Former Member — Thu, 19 May 2016 17:44:12 GMT

Hello there,

i am developing in IntelliJ IDEA with an OpenUI5 SDK 1.36.5. While trying to access my Odata Service with an ODataModel i get continuously an access error seeing below:

What have i done?

Too make it short:

Created a new project in SAP Gateway Service Builder (TAC: SEGW)
Referenced a table with fields and data (not necessary, its working )
Implemented the "GetEntitySet (Query)" Method in the folder "Service Implementation/VBAKUK_UI5Set" (= Name of the Entity Set)

To check the headers i use Postman. With http://[server]:[port]/sap/opu/odata/sap/ZUI5_IW74874_TEST_SRV/VBAKUK_UI5Set/ and an Basic Authorization Header (credentials to get access) i get all the data i want plus the "access-control-allow-origin →*" header.

Now to the code i have written

   viewName: "sap_ui5_playground.Main",
   type: sap.ui.core.mvc.ViewType.HTML
   });
   oView.placeAt("content");
</script>
<script>
   var url = "http://[host]:[port]/sap/opu/odata/sap/ZUI5_IW74874_TEST_SRV/";     //url as full address
   var oModel = new sap.ui.model.odata.ODataModel(url, false, "[username]", "[password]");     //name and pw as plain text here
   sap.ui.getCore().setModel(oModel, "odata");

   var oTable = new sap.ui.table.Table({

        width: "100%",
        title: "Daten aus dem SAP mit OData",
        editable: true,
        items: "{odata>/VBAKUK_UI5Set?$format=json&sap-client=201}"
   });
   oTable.addColumn(new sap.ui.table.Column({

id: "Mandt",
label: new sap.ui.commons.Label({

             text: "Mandt"
        }),
        template: new sap.ui.commons.TextView({

text: "{odata>Mandt}"
})

}));

[more columns]

oTable.setModel(oModel);

oTable.placeAt("content");

I tried several ways in coding to fix the issue yet, nothing worked. If you know any way further to help me i would really appreciate it. I am open for every hint you're might be able to give, so don't hesitate to answer

Best regards,

Max

Re: Still problems with Access-Control-Allow-Origin

jamie_cawley — Thu, 19 May 2016 19:04:18 GMT

This is your browser preventing a cross origin request. You can either use a proxy to load the data, turn off your browser security, or use SAP Web IDE.

HTTP access control (CORS) - HTTP | MDN

Regards,

Jamie

SAP - Technology RIG

Re: Still problems with Access-Control-Allow-Origin

junwu — Thu, 19 May 2016 19:42:27 GMT

did u deploy it to the gateway server to run the ap?

Re: Still problems with Access-Control-Allow-Origin

Former Member — Thu, 19 May 2016 19:52:40 GMT

I know that my browser is blocking it, so my try was to turn around that by adding the origin header. Are there only these three options? If yes then i would choose proxy i suppose

Re: Still problems with Access-Control-Allow-Origin

Former Member — Thu, 19 May 2016 19:54:43 GMT

Nope. I only created the OData Service and access it through an URL. I know the deploying way, i wanted to try some kind of client <-> server though.

Re: Still problems with Access-Control-Allow-Origin

jamie_cawley — Thu, 19 May 2016 20:19:31 GMT

UI5 provides a proxy, which I have only ever used in eclipse

Use a SimpleProxyServlet for Testing to Avoid Cross-domain Requests - UI Development Toolkit for HTML5 (SAPUI5) - SAP Li…

You can turn off cors in chrome by starting it with --disable-web-security --user-data-dir

Regards,

Jamie

SAP - Technology RIG

Re: Still problems with Access-Control-Allow-Origin

Former Member — Thu, 19 May 2016 20:51:01 GMT

I try to avoid disabling CORS because it should be used as most independent as it is possible now. If i can only use it with that its not very...usable i would say additionally, i'm coding on OS X so it's not even possible to do that as easily as it is on Windows

I will take a look over the UI5 Sample Proxy. It looks like a nice try for now. Thanks for that

Re: Still problems with Access-Control-Allow-Origin

junwu — Thu, 19 May 2016 23:50:29 GMT

why waste time?

Re: Still problems with Access-Control-Allow-Origin

Former Member — Fri, 20 May 2016 09:27:36 GMT

Hi Max,

You can use chrome with disabled web security flag to test before deploying it to the gateway server.

Regards

Naveen S

Re: Still problems with Access-Control-Allow-Origin

jamie_cawley — Fri, 20 May 2016 11:05:07 GMT

You can set in the terminal on a mac...

open '/Applications/Google Chrome.app' --args --disable-web-security --user-data-dir

Regards,

Jamie

SAP - Technology RIG

Re: Still problems with Access-Control-Allow-Origin

Former Member — Fri, 20 May 2016 13:48:23 GMT

Oh thx...i didn't know that. Will try it out

Re: Still problems with Access-Control-Allow-Origin

Former Member — Fri, 20 May 2016 13:51:59 GMT

I am not wasting any time, i simply don't want to deploy it. What we try, or specially i want to try out is to access an OData Service from the SAP side without any deploying, more like a web service using SAP to retrieve data. Surely, a deployment can happen later while my project continues, but that's not relevant for now It's more like a testing out session currently

Re: Still problems with Access-Control-Allow-Origin

Former Member — Mon, 23 May 2016 15:50:27 GMT

Hi Max,

according to your error messages, the cross-origin request that is denied by the browser is the one to access the metadata.

<your_service>/$metadata

You set the Access-Control-Cross-Origin header for the get_entityset in DPC_EXT but not for the metadata document. This will probably have to be done in the MPC_EXT class.

Best regards,

Frank

Re: Still problems with Access-Control-Allow-Origin

Former Member — Mon, 23 May 2016 18:24:39 GMT

Unfortunately, the header for service requests is set in the GW framework. I couldn't find any relevant BAdI's there either but I didn't look for too long.

That is strange, it seems that odd to allow changes to headers in the response of entities but not for metadata.

Re: Still problems with Access-Control-Allow-Origin

Former Member — Mon, 23 May 2016 20:59:43 GMT

Hey Frank,

i appreciate your hint about metadata. Sadly, i didn't find any suspicious too. As long as it works for now i will use Chrome with disabled security flag, trying out some special stuff if i have time for it and go further on developing currently.

Thanks for your help

Re: Still problems with Access-Control-Allow-Origin

daniel_ruiz2 — Mon, 23 May 2016 22:55:48 GMT

hi Frank,

Odd? - It's an issue, as soon you lose total control of the code you end up with problems.. well, you always eventually do...

I'd assume the best way would be to extend the OData Handler (SICF Node) and manipulate your headers there - this way you can be sure you control what happens and it's still very clean and easy to roll back & switch if needed.

Cheers,

Dan.

Re: Still problems with Access-Control-Allow-Origin

Former Member — Mon, 23 May 2016 23:30:48 GMT

Yes, that's what I ended up doing.

Re: Still problems with Access-Control-Allow-Origin

Former Member — Mon, 23 May 2016 23:32:39 GMT

Hi Max,

I actually found a way. You can use a handler in the sicf node for gateway. See here for details:

The test method I implemented looks like this:

METHOD if_http_extension~handle_request.

server->response->set_header_field(

EXPORTING

name = 'Access-Control-Allow-Origin'

value = '*'

if_http_extension~flow_rc = if_http_extension~co_flow_ok_others_mand.

ENDMETHOD.

Re: Still problems with Access-Control-Allow-Origin

Former Member — Tue, 24 May 2016 09:00:51 GMT

Hi Max,

Below code will solve your problem :

var prefix = new sap.ui.commons.TextView("prefix"); if (window.location.hostname == "localhost") {prefix.setText("proxy/https/<domainName>");} else {prefix.setText("https://" + window.location.hostname);}

var url = sap.ui.getCore().byId("prefix").getText() + "sap/opu/odata/sap/ZUI5_IW74874_TEST_SRV/VBAKUK_UI5Set/ "

Thanks

Viplove Khushalani

Re: Still problems with Access-Control-Allow-Origin

Former Member — Tue, 14 Jun 2016 12:12:21 GMT

Hello Frank,

I tried the same but the preflight request never reached the handlers. We have SSO SAML setup in the gateway during http debugging I've seen that the HTTP call always went first through the sequence of logon methods as defined in the SICF service before it entered the list of http handlers. Hence the anonymous HTTP OPTIONS call from the browser was already blocked by the SSO logon procedure.

How did you do that in your case? How did you allow an anonymous access while at the same time keeping a logon procedure for every other user?

Thank you for your feedback