cors - Receiving multiple values in 'access-control-allow-origin' header of PDP API response WSO2IS 5.10.0

Question

I am using the PDP endpoint of WSO2IS, the response of preflight request contains multiple values in the Access-Control-Allow-Origin header which is creating a problem in the browser:

my web.xml configuration looks like this:

 <filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    <init-param>
        <param-name>cors.allowOrigin</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.supportedMethods</param-name>
        <param-value>GET, HEAD, POST, DELETE, OPTIONS, PATCH, PUT</param-value>
    </init-param>
    <init-param>
               <param-name>cors.exposedHeaders</param-name>
               <param-value>Access-Control-Allow-Origin, Location</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CORS</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>

The exact log in the console:

Access to XMLHttpRequest at 'https://{base-url}:9443/api/identity/entitlement/decision/pdp' from origin 'http://localhost:8000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, http://localhost:8000', but only one is allowed.

I have tried suggestions provided in the link: https://github.com/wso2/identity-apps#run-in-dev-mode

What is wrong with this configuration or do I need to change some other configuration in order to get this working?

question from:https://stackoverflow.com/questions/65884293/receiving-multiple-values-in-access-control-allow-origin-header-of-pdp-api-res

Answer 1

If you are trying with IS version 5.11, you have to apply this config given in [1] to deploymet.toml file. From 5.11 onwards we are using a new cors configuration model [2]. So[1] is applicable only for IS5.11.0 onwards. So applying the config given in the doc [1] will not work for prior versions.

Since you are using IS5.10.0 (if it is not a 5.10.0 wum updated pack), add the below configs to web.xml.j2 file located <IS_HOME>/repository/resources/conf/templates/repository/conf/tomcat/web.xml.j2.

<filter-name>CORS</filter-name>
     <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
     <init-param>
         <param-name>cors.allowOrigin</param-name>
         <param-value>*</param-value>
     </init-param>
    <init-param>
             <param-name>cors.exposedHeaders</param-name>
             <param-value>Location</param-value>
         </init-param>
         <init-param>
             <param-name>cors.supportedMethods</param-name>
             <param-value>GET, HEAD, POST, DELETE, OPTIONS, PATCH, PUT</param-value>
         </init-param>
     </filter>
    
     <filter-mapping>
         <filter-name>CORS</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>FORWARD</dispatcher>
         <dispatcher>REQUEST</dispatcher>
     </filter-mapping>

If you are using a 5.10.0 wum pack, then you need to add the config to deployment.toml file. Refer to the git issue[3]

[1]https://github.com/wso2/identity-apps#run-in-dev-mode

[2]https://wso2.com/blogs/thesource/cors-with-wso2-identity-server-5.11/

[3]https://github.com/wso2/carbon-kernel/pull/2698