0

Here's the deal, any help would be greatly appreciated because as of now I am at a loss.

I'm setting custom headers in my jQuery.ajax like so:

$.ajax({
type:'GET',
url: url,
dataType: 'json',
headers: {
'customHeader': 'value',
}, etc...

I'm using spring mvc and spring security with a custom filter and getting the header like this:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
        ServletException {
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    httpResponse.setHeader("Access-Control-Allow-Origin", "*");
    String header = httpRequest.getHeader('customHeader');

Unfortunately the header is always null, I've tried things like using beforeSend in the ajax call still same effect. Can anyone please she some light on this?

Remote Address:127.0.0.1:8080 Request URL:http://localhost:8080/ecom/ws/session Request Method:OPTIONS Status Code:401 Unauthorized Request Headersview parsed OPTIONS /ecom/ws/session HTTP/1.1 Host: localhost:8080 Connection: keep-alive Access-Control-Request-Method: GET Origin: null User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Access-Control-Request-Headers: accept, ecom_string_s3c, ecom_client_uuid, content-type Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,es;q=0.6 Response Headersview parsed HTTP/1.1 401 Unauthorized Date: Wed, 02 Jul 2014 18:15:03 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Headers: ecom_string_s3c, ecom_client_uuid, content-type Content-Length: 0 Server: Jetty(6.1.26)

Improve this question
15
  • Why dont you use data instead of headers in your ajax call....don't reinvent the wheel :) Commented Jul 2, 2014 at 17:41
  • I'm basically rolling my own rest authentication implementation and I need the information for authentication to be stored in the header and to be separate from say the post data. Commented Jul 2, 2014 at 17:43
  • stackoverflow.com/questions/10093053/… Commented Jul 2, 2014 at 17:45
  • I've looked at that several times the answer is quite vague Commented Jul 2, 2014 at 17:55
  • basically I need to know how to access the header in my java filter from the httpServletRequest Commented Jul 2, 2014 at 17:57

1 Answer 1

Reset to default
1

For those who come across the same problem, this is an option to resolve this issue.

The problem is with the pre-flight request (OPTIONS). In your custom security filter you don't want to check this, simply because custom headers will NOT be sent with OPTIONS requests. OPTION requests are only there to check which methods, origins, headers, etc are allowed.

In your custom filter for token authorization, you could filter out those requests. A quick solution could look like this: 

 if (methode.equals("OPTIONS")) {
        log.info("OPTIONS REQUEST NO FILTER");
        chain.doFilter(req, res);
    } else {
      //Your filter
   }

This way it skips your filter on OPTION requests, and your real request will be sent with the headers allowed by your CORS Filter.

Good luck.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That is correct, I forgot to answer this question after I found the solution. What you suggested is exactly what I did
What is methode here & How to get methods of request header to check this condition?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.