Controllerless Networks

last person joined: 5 hours ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration

Jump to Best Answer
  • 1.  Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration

    Posted Feb 05, 2020 04:03 PM

    I’ve encountered a problem while integration testing my Captive Portal application with an IAP303HR Access Point. The Captive Portal is a Java Servlet web application. It is deployed on an external server hosted by Heroku. The corresponding External Captive Portal entity defined on the IAP is configured to use Radius Authentication.

     

    Guest Users interact with the Captive Portal application and then, if they qualify for Wi-fi access, the Captive Portal client sends an HTTP Post request to securelogin.mydomain.com/cgi-bin/login. A certificate for the domain securelogin.mydomain.com is deployed on the IAP and it is associated with the Captive Portal.

     

    Because the URL for the Captive Portal application and the URL for Authentication have two different domains and origins, the browser initiates the Cross-Origin Request Sharing (CORS) protocol on the HTTP POST request for authentication. It includes an ORIGIN header in this request as follows:

     

    Origin: https://myherokuappname.herokuapp.com

     

    The browser expects an Access-Control-Allow-Origin header in the authentication response from the IAP. This header indicates the second origin, the IAP, accepts the HTTP POST request from the first origin or from any origin. The header might look something like the following:

     

    Access-Control-Allow-Origin: “*”     or

    Access-Control-Allow-Origin: “myherokuappname.herokuapp.com”  (in my case)

     

    But, the response that is returned by the IAP does not include this header and the browser returns an error to the Captive Portal client script (Javascript), as follows:

     

    Access to XMLHttpRequest at 'https://securelogin.hmgnapps.com/cgi-bin/login' from origin 'https://my-heroku-app-name.herokuapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

     

    By the way, the IAP returns a 200 OK response to the authentication request and the guest user is granted internet access. But, the client script receives an error indication. The following is the HTTP response returned by the IAP:

     

    HTTP/1.1 200 OK

    Content-Type: text/html; charset=utf-8

    Pragma: no-cache

    Strict-Transport-Security: max-age=604800

    Cache-Control: max-age=0, no-store

     

    I used both the Chrome browser (Version 79) and the Firefox browser (Version 72) to perform integration testing and they both returned similar error messages. The sofware version of my IAP is 8.5.0.5.

     

    It may be possible to work around the error returned by the browser. But, I believe this issue should be resolved within the IAP. I would appreciate any comments or suggestions.



  • 2.  RE: Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration
    Best Answer

    Posted Feb 06, 2020 05:44 AM

    I have not heard of this issue before, and I don't think that you can enable CORS headers on the IAP (at this point, don't know either if that is the solution).

     

    Can you share the code that you are using?

    What is the purpose of the JavaScript?

     

    It looks like you are using the JavaScript to post the credentials, instead of the user to click and have the browser post credentials to the IAP.



  • 3.  RE: Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration
    Best Answer

    Posted Feb 12, 2020 04:38 PM

    Thanks for your reply. The front end of the Captive Portal was developed using the AngularJS framework. The portal application has multiple views. http requests to back-end resources are invoked either by AngularJS or application scripts. Information in http responses is processed by scripts and results in changes to the user interface.

     

    I haven't tried invoking authentication using input elements. I prefer not to do it that way for a few reasons. But, perhaps I should test this option in any case and see what happens.

     

    The following is the code that invokes the http post for guest user authentication:

     

    service.authenticateRequest = function () {
    	var credentials = {};
    	var postURL = 'https://securelogin.hmgnapps.com/cgi-bin/login';
    			
    	credentials.user = "guest1";
    	credentials.password = "mypassword";
    	credentials.cmd = "authenticate";
    	
    	console.log("sending authentication request");
    	
    	return $http({
    	    method: "POST",
    	    url: postURL,
    	    data: credentials,
    	    transformRequest: function(obj) {
    	        var str = [];
    	        for(var p in obj)
    	        str.push(encodeURIComponent(p) + "=" + encodeURIComponent(obj[p]));
    	        return str.join("&"); 
    	        },
            transformResponse: function (data, header) {
                var transData = {};
                transData.html = data;
                console.log("Transformed response data: ", transData);
                return transData;
                },
    	    headers : {"Content-Type": "application/x-www-form-urlencoded; charset=utf-8"}
    	    }).then(function onSuccess(response){
    	    		    console.log(response.status);
    	    			console.log(response.data);
    	    			return(response.status);
    	    		}, function onError(error) {
    	    			console.log("Unknown Error");
    	    			console.log(error);
    	    		});
        	
        };

     



  • 4.  RE: Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration

    Posted Feb 13, 2020 04:40 PM

    Note: I created a case for the problem described in the original post that's been accepted by the Aruba TAC for review. As such, I've closed this discussion point by accepting the response that I received. I'd be interested to hear if anyone else experiences the issue described in this post in the future. Thanks.



  • 5.  RE: Cross Origin Request Sharing (CORS) Error on IAP-Captive Portal Integration

    Posted Jan 08, 2021 11:33 PM
    @rswillner5411, We have exactly the same problem. the IAP has no OPTIONS method implemented and as result we cannot invoke the POST method from JavaScript. I wish to see it fixed ASAP, but for now, unfortunately​ I should report to my manager that Aruba is not compatible and cannot be integrated with our system. :(

    ------------------------------
    Alexander Shulgin
    ------------------------------