ODATA - CORS Support

1

We are testing some different grid tools in order to display SQLA 17 data in a client website.

After lots of trial and error I am down to this error message as the grid tool attempts to access a published table of an SQLA ODATA producer:

16:06:06.282 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myserver:8087/Client01/OSigerClientWeb/Contact?%24top=20&%24select=ContactID%2CFirstName&%24inlinecount=allpages. (Reason: CORS header Access-Control-Allow-Origin missing).

The tool's documentation mentions that this is a possibility but does not give much in terms of a solution other than that the server holding the data needs to support CORS headers:

One common pitfall that occurs during communication with remote web services from JavaScript is the Same-Origin Policy. It is a security restriction enforced by web browsers that do not directly allow HTTP communication between different domains (not even between endpoints located at two different ports of the same website).

To consume a web service from JavaScript, the web service has to support the Cross-Origin Resource Sharing feature, also known as CORS.

I checked the SQLA DCX for any mention of CORS and while I did not find it in any of the ODATA sections, I did find it in the miscellaneous changes and enhancements section but only for HTTP services created within the database.

So the question is: Is there a way to get around this issue with ODATA and CORS?

asked 15 May '18, 17:33

Siger%20Matt's gravatar image

Siger Matt
3.3k5672101
accept rate: 15%

Very wild guess: Does that doc topic on CSRF (cross-site request forgery attacks) apply to your situation?

(16 May '18, 03:28) Volker Barth
Replies hidden
1

It's possible, but I think that relates to a different possible vulnerability.

This CORS issue seems to be that the browser checks to see if the server allows communication from other domains when that communication is called from within javascript.

(16 May '18, 14:42) Siger Matt

Hm, I don't know that, I'm out of my wits

(17 May '18, 05:51) Volker Barth
2

This article may provide some clues.

(17 May '18, 07:57) Breck Carter
2 Answers:
active answersoldest answersnewest answerspopular answers
3

The SQL Anywhere OData Server has been fixed to correctly respond to these requests. Please contact support to request 17.0.9.4829 or later.

Another work around is to build your own Jetty server and enable the CrossOriginFilter when including the OData Producer servlet.

permanent link

answered 22 Jun '18, 14:02

PhilippeBertrand%20_SAP_'s gravatar image

PhilippeBert...
1.8k42139
accept rate: 22%

1

For Windows and Mac OSX, EBF 17.0.9.4838 has been published in the mean time. See Engineering Case #815560 in the readme file for the CORS details.

(08 Aug '18, 03:45) Volker Barth
2

SQL Anywhere OData Server does not support CORS at this time however it is simply a sample server. The OData Producer is a java servlet that can be deployed into your own webserver, which you can configure for CORS support. https://archive.sap.com/documents/docs/DOC-67267 is an article describing the process of integrating into another webserver.

permanent link

answered 17 May '18, 09:18

PhilippeBertrand%20_SAP_'s gravatar image

PhilippeBert...
1.8k42139
accept rate: 22%

So if we are already utilizing IIS for the front-end portion of the eventual solution, the docs seem to indicate that we will also need a separate webserver as IIS does not support java servlets:

Third-party HTTP server set up

To use OData Producers with a third-party HTTP server, such as Apache or IIS, deploy the OData Producers to the server. Run OData Producers as Java Servlets that can be loaded into the HTTP server that support version 3.1 of the Java Servlet API. For example, Tomcat can be used as a Java Servlet container and paired with an Apache HTTP server.

Note IIS cannot execute Java Servlets, but you can configure a connector that redirects Servlet requests from an IIS server to another server that is able to run them.

From:DCX How to set up an OData server

(17 May '18, 10:33) Siger Matt
Replies hidden

You can certainly use Tomcat as servlet container with IIS, although it's quite less documented than with Apache...

(17 May '18, 12:28) Volker Barth

Would you happen to have a small sample of using CORS against our OData Producer?

(29 May '18, 13:11) PhilippeBert...

Yes definitely - should I email it or try to post it here?

(31 May '18, 10:00) Siger Matt

Sorry ... for some reason I don't get notifications. You can email me philippe.bertrand at sap.

(18 Jun '18, 15:05) PhilippeBert...

I have a repro using simple requests that don't involve preflight OPTIONS requests so if yours has those, that would be great.

(18 Jun '18, 17:12) PhilippeBert...
showing 1 of 6 show all flat view
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×16
×1

question asked: 15 May '18, 17:33

question was seen: 2,290 times

last updated: 08 Aug '18, 03:47

Related questions

Entity Framework and OData error

OData: Producer doesn't properly forward database error messages

Hints on finding performance bottlenecks on OData producer

How to interpret diagnostic file with "org.eclipse.jetty.io.EofException"

Are Stored Procedures allowed on ReadOnly OData Producer?

OData ODSL service model setup to expose procedures as services only.

OData and user-defined function

ASA16 ODATA and Visual Studio 2012

OData and self referencing entity

ODATA windows/integrated authentication