GET REST request with authorization yields 403 in preflight

Hi there,

I have a problem with running the REST engine with both CORS and basic authentication enabled. Following leads to the problem:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost:8082/engine-rest/process-definition');
xhr.setRequestHeader('Authorization', 'Basic ZmVsaXg6cHc=');
xhr.send();

Pretty basic. As specified, setting the Authorization header yields in an preflight request. However, this results in the status code 403 with no CORS headers set. As described in this forum post this is an issue with the authentication filter, but it isn’t. It is a problem of setting the Authorization header. If I disable basic authentication but keep setting the header, the problem still occurs.

A quick sidenote: If I test the same OPTIONS request in Postman, it works fine unless I set the Origin header to the same value as of my browser’s request. (Might be something Postman related though, as this is not the “true” origin.)

So there are two problems:

  1. Why does the request result in status code 403?
  2. Why are no CORS headers set when an error code appears? This doesn’t allow me to handle the error in code and instead it will be handled by the browser.

How could I go on about this?

Best regards
Felix

This was an error with the cors.allowed.headers of the org.apache.catalina.filters.CorsFilter filter. Adding Authorization to the default headers solved the problem.

thank you @felixlinker for the answer, i have been struggling with this for two days now.
Though, after getting rid of the 403 error, I now get 401 . I don’t think its an authorization nor credentials problem because it works fine from postman with same credentials

solved: just changed the syntax of my axios request like mentioned in their documentation from Authorization header to directly with auth:

{
    auth: {
        username: "demo",
        password: "demo"
    }
}