How to disable the CORS?

#1

Hello,

I’m trying to invoke the rest api from a custom web-app (the web-app is hosted in another server).

I start the flowable environment from docker using the following docker-compose.yml

version: ‘3.6’
services:
flowable-rest-app:
image: flowable/flowable-rest
depends_on:
- flowable-db
environment:
- SERVER_PORT=9977
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE.REST.APP.ADMIN.USER-ID=rest-admin
- FLOWABLE.REST.APP.ADMIN.PASSWORD=test
- FLOWABLE.REST.APP.ADMIN.FIRST-NAME=Rest
- FLOWABLE.REST.APP.ADMIN.LAST-NAME=Admin
ports:
- 9977:9977
depends_on:
- flowable-db
flowable-modeler-app:
image: flowable/flowable-modeler
container_name: flowable-modeler
depends_on:
- flowable-db
- flowable-idm-app
- flowable-task-app
environment:
- SERVER_PORT=8888
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=test
- FLOWABLE_MODELER_APP_DEPLOYMENT-API-URL=http://flowable-task-app:9999/flowable-task/process-api
ports:
- 8888:8888
flowable-task-app:
image: flowable/flowable-task
container_name: flowable-task
depends_on:
- flowable-db
- flowable-idm-app
environment:
- SERVER_PORT=9999
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=test
ports:
- 9999:9999
flowable-idm-app:
image: flowable/flowable-idm
container_name: flowable-idm
depends_on:
- flowable-db
environment:
- SERVER_PORT=8080
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
ports:
- 8080:8080
flowable-admin-app:
image: flowable/flowable-admin
container_name: flowable-admin
depends_on:
- flowable-db
- flowable-idm-app
- flowable-task-app
environment:
- SERVER_PORT=9988
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable-idm-app:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://localhost:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN.USER=admin
- FLOWABLE_COMMON_APP_IDM-ADMIN.PASSWORD=test
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_PROCESS_REST-ROOT=process-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CMMN_REST-ROOT=cmmn-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_DMN_REST-ROOT=dmn-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_FORM_REST-ROOT=form-api
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_SERVER-ADDRESS=http://flowable-task-app
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_PORT=9999
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_CONTEXT-ROOT=flowable-task
- FLOWABLE_ADMIN_APP_SERVER-CONFIG_CONTENT_REST-ROOT=content-api
ports:
- 9988:9988
flowable-db:
image: postgres:9.6-alpine
container_name: flowable-postgres
environment:
- POSTGRES_PASSWORD=flowable
- POSTGRES_USER=flowable
- POSTGRES_DB=flowable
ports:
- 5433:5432
command: postgres

Now if I try to call this call

http://localhost:8080/flowable-idm/app/authentication
Method: POST
Content-Type: application/x-www-form-urlencoded"
payload: “j_username=admin&j_password=test&_spring_security_remember_me=true&submit=Login”

I have the CORS error.

Do you know if there is a way to launch the docker containers with some parameters to disable the CORS for development sake?

Thanks,
Maurizio

#2

Hi Maurizio,

I had a look at the CORS issue, and what I found so far is that it is actually a Spring WebMVC issue. They have a class called DefaultCorsProcessor which is called from AbstractHandlerMapping, that does a Cors check on all preflight requests (ie. OPTIONS) and fails requests that do not contain a “Access-Control-Allow-Origin: *” in the header. Unfortunately, I don’t see an easy way to disable this feature.

Kevin

#3

Hi Kevin,

thank you for the info. I will try do embed the engine and I will try expose the stuff that I need.

Maurizio

#4

Out of curiosity, what is the desired deployment you are trying to achieve? What is technology stack for the UI you are trying to call from?

#5

You can also trying to create your own application by depending on the flowable-spring-boot-starter-rest which is more or less what the flowable-rest app does. If you do this then you can define your own security and disable CORS (have a look here)

#6

We are trying to replace the camunda engine (on the “back-end”) and for the modeler we are going to replace a custom react js UI based on bpmn.io, using orxy. We are calling the rest API thought a simple fetch call, something like this:

const url = “http://localhost:8080/flowable-idm/app/authentication”;
let form = …
fetch(url, {
method: “POST”,
body: form.join(’&’),
headers: {
‘Content-Type’: ‘application/x-www-form-urlencoded’
}
}).then(response => {…});

#7

You can also trying to create your own application by depending on the flowable-spring-boot-starter-rest which is more or less what the flowable-rest app does. If you do this then you can define your own security and disable CORS (have a look here)

Thank you! I will try!

Maurizio

#8

Is there not a possibility of putting the Flowable UIs and your own application behind the same domain? ie. putting Apache HTTP Server in front of both with ReverseProxy configuration.

#9

we put a nginx reverse proxy with

proxy_hide_header X-Frame-Options; to solve it

#10

Why would you want to disable CORS, rather than configure it properly? Spring boot has good support for CORS.

#11

like if you want to deploy via Docker (not change the Spring code), is there a way?