cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Still problems with Access-Control-Allow-Origin

Go to solution
Former Member

on ‎05-19-2016 6:44 PM

0 Kudos

Hello there,

i am developing in IntelliJ IDEA with an OpenUI5 SDK 1.36.5. While trying to access my Odata Service with an ODataModel i get continuously an access error seeing below:

What have i done?

Too make it short:

  • Created a new project in SAP Gateway Service Builder (TAC: SEGW)
  • Referenced a table with fields and data (not necessary, its working )
  • Implemented the "GetEntitySet (Query)" Method in the folder "Service Implementation/VBAKUK_UI5Set" (= Name of the Entity Set)

 

To check the headers i use Postman. With http://[server]:[port]/sap/opu/odata/sap/ZUI5_IW74874_TEST_SRV/VBAKUK_UI5Set/ and an Basic Authorization Header (credentials to get access) i get all the data i want plus the "access-control-allow-origin*" header.

Now to the code i have written

<script>
   sap.ui.localResources("sap_ui5_playground");
   sap.ui.localResources("util");
   sap.ui.localResources("i18n");
   var oView = sap.ui.view({

   viewName: "sap_ui5_playground.Main",
   type: sap.ui.core.mvc.ViewType.HTML
   });
   oView.placeAt("content");
</script>
<script>
   var url = "http://[host]:[port]/sap/opu/odata/sap/ZUI5_IW74874_TEST_SRV/";     //url as full address
   var oModel = new sap.ui.model.odata.ODataModel(url, false, "[username]", "[password]");     //name and pw as plain text here
   sap.ui.getCore().setModel(oModel, "odata");

   var oTable = new sap.ui.table.Table({

        width: "100%",
        title: "Daten aus dem SAP mit OData",
        editable: true,
        items: "{odata>/VBAKUK_UI5Set?$format=json&sap-client=201}"
   });
   oTable.addColumn(new sap.ui.table.Column({

        id: "Mandt",
        label: new sap.ui.commons.Label({

             text: "Mandt"
        }),
        template: new sap.ui.commons.TextView({

             text: "{odata>Mandt}"
        })

  }));

  [more columns]

  oTable.setModel(oModel);

  oTable.placeAt("content");

I tried several ways in coding to fix the issue yet, nothing worked. If you know any way further to help me i would really appreciate it. I am open for every hint you're might be able to give, so don't hesitate to answer

Best regards,

Max

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jamie_cawley
Advisor
Advisor
‎05-19-2016 8:04 PM
0 Kudos

This is your browser preventing a cross origin request.  You can either use a proxy to load the data, turn off your browser security, or use SAP Web IDE.

HTTP access control (CORS) - HTTP | MDN

Regards,

Jamie

SAP - Technology RIG

Show replies
Show replies
Former Member
‎05-19-2016 8:52 PM
0 Kudos

I know that my browser is blocking it, so my try was to turn around that by adding the origin header. Are there only these three options? If yes then i would choose proxy i suppose

jamie_cawley
Advisor
Advisor
‎05-19-2016 9:19 PM
0 Kudos

UI5 provides a proxy, which I have only ever used in eclipse

Use a SimpleProxyServlet for Testing to Avoid Cross-domain Requests - UI Development Toolkit for HTM...

You can turn off cors in chrome by starting it with --disable-web-security --user-data-dir

Regards,

Jamie

SAP - Technology RIG

Former Member
‎05-19-2016 9:51 PM
0 Kudos

I try to avoid disabling CORS because it should be used as most independent as it is possible now. If i can only use it with that its not very...usable i would say additionally, i'm coding on OS X so it's not even possible to do that as easily as it is on Windows

I will take a look over the UI5 Sample Proxy. It looks like a nice try for now. Thanks for that

jamie_cawley
Advisor
Advisor
‎05-20-2016 12:05 PM
0 Kudos

You can set in the terminal on a mac...

open '/Applications/Google Chrome.app' --args --disable-web-security --user-data-dir


Regards,

Jamie

SAP - Technology RIG

Former Member
‎05-20-2016 2:48 PM
0 Kudos

Oh thx...i didn't know that. Will try it out

Answers (3)

Answers (3)

Former Member
‎05-23-2016 4:50 PM

Hi Max,

according to your error messages, the cross-origin request that is denied by the browser is the one to access the metadata.

<your_service>/$metadata

You set the Access-Control-Cross-Origin header for the get_entityset in DPC_EXT but not for the metadata document. This will probably have to be done in the MPC_EXT class.

Best regards,

Frank

Show replies
Show replies
Former Member
‎05-23-2016 7:24 PM
0 Kudos

Unfortunately, the header for service requests is set in the GW framework. I couldn't find any relevant BAdI's there either but I didn't look for too long.

That is strange, it seems that odd to allow changes to headers in the response of entities but not for metadata.

Former Member
‎05-23-2016 9:59 PM
0 Kudos

Hey Frank,

i appreciate your hint about metadata. Sadly, i didn't find any suspicious too. As long as it works for now i will use Chrome with disabled security flag, trying out some special stuff if i have time for it and go further on developing currently.

Thanks for your help

daniel_ruiz2
Active Contributor
‎05-23-2016 11:55 PM
0 Kudos

hi Frank,

Odd? - It's an issue, as soon you lose total control of the code you end up with problems.. well, you always eventually do...

I'd assume the best way would be to extend the OData Handler (SICF Node) and manipulate your headers there - this way you can be sure you control what happens and it's still very clean and easy to roll back & switch if needed.


Cheers,

Dan.

Former Member
‎05-24-2016 12:30 AM
0 Kudos

Yes, that's what I ended up doing.

Former Member
‎05-24-2016 12:32 AM
0 Kudos

Hi Max,

I actually found a way. You can use a handler in the sicf node for gateway. See here for details:

The test method I implemented looks like this:

METHOD if_http_extension~handle_request.

     server->response->set_header_field(

       EXPORTING

         name  = 'Access-Control-Allow-Origin'

         value = '*'

     ).

     if_http_extension~flow_rc = if_http_extension~co_flow_ok_others_mand.

ENDMETHOD.

former_member212578
Explorer
‎06-14-2016 1:12 PM
0 Kudos

Hello Frank,

I tried the same but the preflight request never reached the handlers. We have SSO SAML setup in the gateway during http debugging I've seen that the HTTP call always went first through the sequence of logon methods as defined in the SICF service before it entered the list of http handlers. Hence the anonymous HTTP OPTIONS call from the browser was already blocked by the SSO logon procedure.

How did you do that in your case? How did you allow an anonymous access while at the same time keeping a logon procedure for every other user?

Thank you for your feedback

Former Member
‎06-14-2016 2:12 PM
0 Kudos

Hi Mark,

I'm not sure what the HTTP OPTIONS call would do. Never noticed it during my tests. And the oData V2 spec only mentions GET, POST, PUT/MERGE and DELETE HTTP.


(see here: Operations (OData Version 2.0) &amp;middot; OData - the Best Way to REST )

former_member212578
Explorer
‎06-14-2016 2:30 PM
0 Kudos

Hello Frank,

with a CORS enabled browser a post to a SAP Gateway OData service would look like the following for a serviceXYZ:

1. HTTP OPTIONS anonymous   https://sapgateway.com/sap/opu/odata/sap/serviceXYZ/Data

2. HTTP POST       myuser         https://sapgateway.com/sap/opu/odata/sap/serviceXYZ/Data


Which browser do you use for the data posting? Which login method have you configured in the SICF service?


There is a thread which mentions that according to the CORS spec a CORS enabled application server must be able to handle the anonymous call (1). I don't see how the SAP Gateway SICF framework is able to do that. From what I've seen the SICF processes requests as such:

1. ICM receives HTTP request

2. SICF service executes Login chain

3. Once passed HTTP handler chain is being executed


The POST to the OData service failed in my case with the OPTIONS call (1) issued by Chrome because of the missing user and didnt even reach the HTTP handler chain. The same call worked from IE9 due to the missing CORS.


Mark

Former Member
‎06-14-2016 2:35 PM
0 Kudos

Good to know. I guess it won't work then.

Former Member
‎05-24-2016 10:00 AM
0 Kudos

Hi Max,

Below code will solve your problem :

var prefix = new sap.ui.commons.TextView("prefix"); if (window.location.hostname == "localhost") {prefix.setText("proxy/https/<domainName>");}  else {prefix.setText("https://" + window.location.hostname);}

var url = sap.ui.getCore().byId("prefix").getText() + "sap/opu/odata/sap/ZUI5_IW74874_TEST_SRV/VBAKUK_UI5Set/ "

Thanks

Viplove Khushalani

Show replies
Show replies
junwu
Active Contributor
‎05-19-2016 8:42 PM
0 Kudos

did u deploy it to the gateway server to run the ap?

Show replies
Show replies
Former Member
‎05-19-2016 8:54 PM
0 Kudos

Nope. I only created the OData Service and access it through an URL. I know the deploying way, i wanted to try some kind of client <-> server though.

junwu
Active Contributor
‎05-20-2016 12:50 AM
0 Kudos

why waste time?

Former Member
‎05-20-2016 10:27 AM
0 Kudos

Hi Max,

You can use chrome with disabled web security flag to test before deploying it to the gateway server.

Regards

Naveen S

Former Member
‎05-20-2016 2:51 PM
0 Kudos

I am not wasting any time, i simply don't want to deploy it. What we try, or specially i want to try out is to access an OData Service from the SAP side without any deploying, more like a web service using SAP to retrieve data. Surely, a deployment can happen later while my project continues, but that's not relevant for now It's more like a testing out session currently

Ask a Question