Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand allowed CORS headers for cross-origin Ajax requests #40

Closed
mkfmnn opened this issue Sep 18, 2013 · 15 comments
Closed

Expand allowed CORS headers for cross-origin Ajax requests #40

mkfmnn opened this issue Sep 18, 2013 · 15 comments

Comments

@mkfmnn
Copy link

mkfmnn commented Sep 18, 2013

elasticsearch-jetty doesn't work with Kibana 3 because it sends an insufficiently broad set of Access-Control-Allow-* headers.

See this commit in elasticsearch core: elastic/elasticsearch@f659cad
@mkfmnn
Copy link
Author

mkfmnn commented Sep 18, 2013

https://github.com/sonian/elasticsearch-jetty/blob/2faf8e2/src/main/java/com/sonian/elasticsearch/http/jetty/JettyHttpServerRestChannel.java#L65-L66

@dakrone
Copy link
Contributor

dakrone commented Sep 25, 2013

Hi @mkfmnn, I'm not really familiar with CORS, can you suggest what headers need to be added/removed in order to allow it to work with Kibana?

@mkfmnn
Copy link
Author

mkfmnn commented Sep 26, 2013

The same changes made in the linked elasticsearch commit:

Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Content-Length

in addition to the existing

Access-Control-Max-Age: 1728000
Access-Control-Allow-Origin: *

@tmaiaroto
Copy link

This would be super awesome to have.

@bodgit
Copy link
Contributor

bodgit commented Dec 9, 2013

Just ran into this issue trying to use Kibana 3, would be great to get this fixed.

bodgit added a commit to bodgit/elasticsearch-jetty that referenced this issue Dec 12, 2013
@bodgit
Attempt to fix sonian#40
d013ae5
@bodgit
Copy link
Contributor

bodgit commented Dec 12, 2013

I've made what I think is the required two-line change however I'm unsure how to build a "thing" be it a zip, jar, whatever. If I run "mvn package" it starts the test suite and the first stacktrace I get is this:

[14:06:29,288][WARN ][org.elasticsearch.org.eclipse.jetty.util.component.AbstractLifeCycle] [server1] FAILED com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandler@fba4a2f: java.lang.IllegalArgumentException: No method specified for PathSpec /page.
java.lang.IllegalArgumentException: No method specified for PathSpec /page.
    at com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandler.processConstraintMapping(RestConstraintSecurityHandler.java:255)
    at com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandler.doStart(RestConstraintSecurityHandler.java:192)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
    at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:90)
    at org.eclipse.jetty.server.Server.doStart(Server.java:262)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
    at com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandlerTests.testPageWithoutMethod(RestConstraintSecurityHandlerTests.java:343)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:691)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:883)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1208)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111)
    at org.testng.TestRunner.privateRun(TestRunner.java:758)
    at org.testng.TestRunner.run(TestRunner.java:613)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
    at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
    at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
    at org.testng.SuiteRunner.run(SuiteRunner.java:240)
    at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:53)
    at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:87)
    at org.testng.TestNG.runSuitesSequentially(TestNG.java:1137)
    at org.testng.TestNG.runSuitesLocally(TestNG.java:1062)
    at org.testng.TestNG.run(TestNG.java:974)
    at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:70)
    at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.executeMulti(TestNGDirectoryTestSuite.java:160)
    at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.execute(TestNGDirectoryTestSuite.java:100)
    at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:115)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:188)
    at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:166)
    at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:86)
    at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:101)
    at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:74)
[14:06:29,295][WARN ][org.elasticsearch.org.eclipse.jetty.util.component.AbstractLifeCycle] [server1] FAILED org.eclipse.jetty.server.Server@768f310f: java.lang.IllegalArgumentException: No method specified for PathSpec /page.
java.lang.IllegalArgumentException: No method specified for PathSpec /page.
    at com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandler.processConstraintMapping(RestConstraintSecurityHandler.java:255)
    at com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandler.doStart(RestConstraintSecurityHandler.java:192)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
    at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:90)
    at org.eclipse.jetty.server.Server.doStart(Server.java:262)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
    at com.sonian.elasticsearch.http.jetty.security.RestConstraintSecurityHandlerTests.testPageWithoutMethod(RestConstraintSecurityHandlerTests.java:343)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:80)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:691)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:883)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1208)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:127)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:111)
    at org.testng.TestRunner.privateRun(TestRunner.java:758)
    at org.testng.TestRunner.run(TestRunner.java:613)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
    at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
    at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
    at org.testng.SuiteRunner.run(SuiteRunner.java:240)
    at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:53)
    at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:87)
    at org.testng.TestNG.runSuitesSequentially(TestNG.java:1137)
    at org.testng.TestNG.runSuitesLocally(TestNG.java:1062)
    at org.testng.TestNG.run(TestNG.java:974)
    at org.apache.maven.surefire.testng.TestNGExecutor.run(TestNGExecutor.java:70)
    at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.executeMulti(TestNGDirectoryTestSuite.java:160)
    at org.apache.maven.surefire.testng.TestNGDirectoryTestSuite.execute(TestNGDirectoryTestSuite.java:100)
    at org.apache.maven.surefire.testng.TestNGProvider.invoke(TestNGProvider.java:115)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:188)
    at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:166)
    at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:86)
    at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:101)
    at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:74)
[14:06:29,301][INFO ][org.elasticsearch.org.eclipse.jetty.server.Server] [server1] jetty-8.1.4.v20120524
[14:06:29,303][INFO ][org.elasticsearch.org.eclipse.jetty.server.AbstractConnector] [server1] Started LocalConnector@0.0.0.0:0
[14:06:29,361][INFO ][org.elasticsearch.org.eclipse.jetty.server.Server] [server1] jetty-8.1.4.v20120524
[14:06:29,363][INFO ][org.elasticsearch.org.eclipse.jetty.server.AbstractConnector] [server1] Started LocalConnector@0.0.0.0:0
[14:06:29,418][INFO ][org.elasticsearch.org.eclipse.jetty.server.Server] [server1] jetty-8.1.4.v20120524
[14:06:29,420][INFO ][org.elasticsearch.org.eclipse.jetty.server.AbstractConnector] [server1] Started LocalConnector@0.0.0.0:0
[14:06:29,475][INFO ][org.elasticsearch.org.eclipse.jetty.server.Server] [server1] jetty-8.1.4.v20120524
[14:06:29,477][INFO ][org.elasticsearch.org.eclipse.jetty.server.AbstractConnector] [server1] Started LocalConnector@0.0.0.0:0
Tests run: 28, Failures: 12, Errors: 0, Skipped: 0, Time elapsed: 921.128 sec <<< FAILURE!

Results :

Failed tests:   testEmptyPassword(com.sonian.elasticsearch.http.jetty.security.ESLoginServiceTests)
  testEmptyRoles(com.sonian.elasticsearch.http.jetty.security.ESLoginServiceTests)
  testFail(com.sonian.elasticsearch.http.jetty.security.ESLoginServiceTests)
  testSuccess(com.sonian.elasticsearch.http.jetty.security.ESLoginServiceTests)
  testTwoUsers(com.sonian.elasticsearch.http.jetty.security.ESLoginServiceTests)
  testClusterHealth(com.sonian.elasticsearch.http.jetty.JettyHttpServerAdapterTests)
  testDefaultPermissions(com.sonian.elasticsearch.http.jetty.JettyHttpServerAdapterTests)
  testIndexingAndSearching(com.sonian.elasticsearch.http.jetty.JettyHttpServerAdapterTests)
  testIndexingCreationFailsWithoutPassword(com.sonian.elasticsearch.http.jetty.JettyHttpServerAdapterTests)
  testClusterHealth(com.sonian.elasticsearch.http.filter.logging.JsonLoggingFilterHttpServerAdapterTests)
  testClusterHealth(com.sonian.elasticsearch.http.filter.logging.LoggingFilterHttpServerAdapterTests)
  testEmptyLoggingSettings(com.sonian.elasticsearch.http.filter.logging.LoggingFilterHttpServerAdapterTests)

Tests run: 28, Failures: 12, Errors: 0, Skipped: 0

Any ideas?

@bodgit
Copy link
Contributor

bodgit commented Dec 12, 2013

I don't think my changes have broken the test suite as it fails in pretty much the same way if I revert my changes. I'm not a Maven wizard but using "mvn package -DskipTests" gives me a zip archive I can copy onto my ES server and it looks like it's working, Kibana 3 seems to work.

@pmusa
Copy link

pmusa commented Feb 13, 2014

Hey guys, I tried to pull request of the updated code, but no news until now!!
I have maintaining the plugin on my own fork.

For now I added the CORS support, as suggested by mkfmnn and upgraded the plugin for versions 0.90.10 and 1.0.0.

If you need any help, or want something added to the plugin, just let me know!!

Abs

@bodgit
Copy link
Contributor

bodgit commented Apr 4, 2014

Bueller?

Any chance we can get this merged? It's a two line fix which means everyone can use this plugin with Kibana. This project is clearly maintained as it's been updated recenty to work with ES 1.x but you'd never guess that looking at the issues queue.

@tmaiaroto
Copy link

+1

@thejohnfreeman
Copy link

The suggested fix is not enough. I use Basic authentication for my cluster, and I would need these headers to allow browsers to hit it:

Access-Control-Allow-Origin: <actual origin making request>
Access-Control-Allow-Credentials: true

https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Requests_with_credentials

@gaborcsardi
Copy link

This is how I managed to make CORS work with Firefox, Safari and IE. As @thejohnfreeman said, one needs to send Origin back in Access-Control-Allow-Origin in JettyHttpServerRestChannel.java:

    public void sendResponse(RestResponse response) {
        resp.setContentType(response.contentType());
        resp.addHeader("Access-Control-Allow-Origin", this.restRequest.header("Origin"));
        resp.addHeader("Access-Control-Allow-Credentials", "true");
        resp.addHeader("Access-Control-Max-Age", "1728000");
        resp.addHeader("Access-Control-Allow-Methods", "OPTIONS, HEAD, GET, POST, PUT, DELETE");
        resp.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Content-Length");

Maybe it is enough to send these headers for OPTIONS requests, but I guess it is safe to send them every time.

For Safari, you also need to make sure that you return a 200 response instead of a 430, which is the default if you use the stock jetty-restrict-writes.xml:

  <Set name="handler">
      [...]
            <!-- ======================================== -->
            <!--      Unrestricted OPTIONS operations     -->
            <!-- ======================================== -->
            <Call name="addConstraintMapping">
                <Arg>
                    <New class="org.eclipse.jetty.security.ConstraintMapping">
                        <Set name="method">OPTIONS</Set>
                        <Set name="pathSpec">
                            *
                        </Set>
                        <Set name="constraint">
                            <Ref id="NoneSecurityConstraint"/>
                        </Set>
                    </New>
                </Arg>
            </Call>

I can send a pull request for these if you want.

@gaborcsardi gaborcsardi mentioned this issue May 2, 2014
Closed
hiredman added a commit that referenced this issue May 12, 2014
@hiredman
Merge pull request #48 from bodgit/issue40
522fa2c 
Fix #40
@gaborcsardi
Copy link

@hiredman: this is unfortunately not enough, you really need to send back the Origin in Access-Control-Allow-Origin, instead of "*", see above.

@bryanrossUK
Copy link

Hi,
I'm still having this problem. When I try to use elasticsearch-jetty with Kibana, I get:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://elasticsearch.local.vm' is therefore not allowed access.

I've tested a basic authenticated set up with nginx instead of Jetty and setting the following in my elasticsearch.yml file satisified CORS:

http.cors.enabled: true
http.cors.allow-origin: http://elasticsearch.local.vm

Could the elasticsearch-jetty be extended to support the http.cors.enabled and http.cors.allow-origin configuration parameters?

@bryanrossUK
Copy link

Any feedback on this issue? If I cant use elasticsearch-jetty with Kibana, then it looks like I'll need to abandon jetty and look for another basic auth solution 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@dakrone @tmaiaroto @bryanrossUK @pmusa @bodgit @gaborcsardi @thejohnfreeman @mkfmnn