Re: Config Shiro to allow CORS requests

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Config Shiro to allow CORS requests

Stephen Agyepong
on the server, where you are returning a response, you will do something like this,

static void sendTextResponseInternal(String text, String contentType, String filename, ExecutionContextImpl eci,
HttpServletRequest request, HttpServletResponse response,
Map<String, Object> requestAttributes) {

response.addHeader("Access-Control-Allow-Origin", "http://localhost:8100")
response.addHeader("Access-Control-Allow-Credentials", "true")
response.addHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS")
response.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, api_key, header")

On Wed, Mar 14, 2018 at 11:18 PM, Gary <[hidden email]> wrote:
I have server REST API secured with shiro.ini, which use authc.loginUrl to
re-direct all request that's not logged in .
I have a separate Augular2 based web app that trying to access server's REST
services. From browser console, I can see server re-directed the request to
login URL configured on shiro.ini, but because of Angular2 web server and
backend server URL is different, the login page is not displayed. The CORS
error message was "<login URL> has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested resource".
I heard that if I add the Access-Control-Allow-Origin header to the server
response (not sure if only the login page response or all the responses),
the problem will get resolved. But since I only used web.xml and shiro.ini
for Shiro, not sure how to do that with these two files.
Any sample code will be highly appreciated.

Sent from: