0

I've been trying to troubleshoot this for days and I've about given up.

**Working request: ** curl -X "PUT" "https://working.exampledomain.com/rest/myendpoint" -H "origin: https://working.exampledomain.com" -H "accept: application/json" -H "authorization: Bearer eyJddXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxOTg5MDMiLCJhaWQiOiIiLCJleHAiOjEuNzQzNDMyNDM1RTksImlhdCI6MS43MzgyNasdfzIjoiIn0.9lh5WqdFojv3uaDJA4lGwOqNARzyvniuXNB1id0R6KY" -H "content-type: application/json" -H "x-api-client-version: 2" -H "x-api-key: oL8oIPrFLBV5DZqNNNDNDfp6T9v5OEYh7FJuDHy" --data-raw "{\"assignment_status\":\"My Update\"}" -v

**403 request: ** curl -X "PUT" "https://working.exampledomain.com/rest/myendpoint" -H "origin: https://NOTworking.exampledomain.com" -H "accept: application/json" -H "authorization: Bearer eyJddXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxOTg5MDMiLCJhaWQiOiIiLCJleHAiOjEuNzQzNDMyNDM1RTksImlhdCI6MS43MzgadsfibGFfaWRzIjoiIn0.9lh5WqdFojv3uaDJA4lGwOqNARzyvniuXNB1id0R6KY" -H "content-type: application/json" -H "x-api-client-version: 2" -H "x-api-key: oL8oIPrFLBV5DZqNNNDNDfp6T9v5OEYh7FJuDHy" --data-raw "{\"assignment_status\":\"My Update\"}" -v

Note: The only difference between these 2 is the 'origin' domain.

NOT working result:

Server Error 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

I can't find anything more about the error in logs or anywhere else. I've enabled

CORS is enabled in my web.config file, be even disabling it doesn't seem to make any difference. Here's my CORS entry:

<cors enabled="true" failUnlistedOrigins="true">
    <add origin="*" allowed="false" />
    <add origin="https://*.exampledomain.com" allowCredentials="true">
        <allowHeaders allowAllRequestedHeaders="true" />
        <allowMethods>
            <add method="HEAD" />
            <add method="GET" />
            <add method="PUT" />
            <add method="POST" />
            <add method="DELETE" />
            <add method="OPTIONS" />
        </allowMethods>             
     </add>
</cors>

I'm using the hosts file to point that domain locally, so we can eliminate any outside network issues.

Basic auth is Disabled, anonymous is enabled.

I've enabled Failed Request Logging for 403s, but nothing gets written.

This request is served by Coldfusion. I've made sure all of the permissions are set correctly for IIS user, app pool user etc on the isapi dll (jakarta/isapi_redirect.dll).

It almost doesn't seem like a CORS issue since it does show the NOTworking domain allowed as well as the PUT verb.

Here's the full response when it fails:

first curl response chunk

second curl response chunk

Sorry, I had to post most of this as an image because stackoverflow keeps telling me my post is spam. Any guidance is much appreciated.

Here's the warning from the failed request log: Failed warning

Improve this question
5
  • have you tried directly adding the domain which is failing with the 403 in the cors rule? something like this <add origin="https://NOTworking.exampledomain.com" allowCredentials="true" /> also in the iis request filtering add the domain in allow url and add all the verbs in allowed verb list Commented Feb 6 at 7:02
  • Thanks @JalpaPanchal. I added all of the verbs to allow list. The Allow URL rule only allows you to enter a relative path like /rest/ instead of a full URL. I added /rest/. But, unfortunately, I'm still getting the 403 error Commented Feb 6 at 17:20
  • could you check iis logs what is the sub status code? and for failed request tracing can you set the status code to 300-500 and reproduce the issue Commented Feb 7 at 7:07
  • Hi @JalpaPanchal. I was able to get failed request tracing working. Here's the warning I get: i.sstatic.net/fzEsWiW6.jpg Substatuscode = 0 Commented Feb 12 at 2:36
  • have you tried setting failUnlistedOrigins="false"? have you check from the ColdFusion that it is not blocking the request. i think you could try to use the process monitor tool Commented Feb 26 at 13:57
Related questions
1373
No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
519
CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
189
API Gateway CORS: no 'Access-Control-Allow-Origin' header
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.