I’ve encountered a problem while integration testing my Captive Portal application with an IAP303HR Access Point. The Captive Portal is a Java Servlet web application. It is deployed on an external server hosted by Heroku. The corresponding External Captive Portal entity defined on the IAP is configured to use Radius Authentication.
Guest Users interact with the Captive Portal application and then, if they qualify for Wi-fi access, the Captive Portal client sends an HTTP Post request to securelogin.mydomain.com/cgi-bin/login. A certificate for the domain securelogin.mydomain.com is deployed on the IAP and it is associated with the Captive Portal.
Because the URL for the Captive Portal application and the URL for Authentication have two different domains and origins, the browser initiates the Cross-Origin Request Sharing (CORS) protocol on the HTTP POST request for authentication. It includes an ORIGIN header in this request as follows:
Origin: https://myherokuappname.herokuapp.com
The browser expects an Access-Control-Allow-Origin header in the authentication response from the IAP. This header indicates the second origin, the IAP, accepts the HTTP POST request from the first origin or from any origin. The header might look something like the following:
Access-Control-Allow-Origin: “*” or
Access-Control-Allow-Origin: “myherokuappname.herokuapp.com” (in my case)
But, the response that is returned by the IAP does not include this header and the browser returns an error to the Captive Portal client script (Javascript), as follows:
Access to XMLHttpRequest at 'https://securelogin.hmgnapps.com/cgi-bin/login' from origin 'https://my-heroku-app-name.herokuapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
By the way, the IAP returns a 200 OK response to the authentication request and the guest user is granted internet access. But, the client script receives an error indication. The following is the HTTP response returned by the IAP:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Strict-Transport-Security: max-age=604800
Cache-Control: max-age=0, no-store
I used both the Chrome browser (Version 79) and the Firefox browser (Version 72) to perform integration testing and they both returned similar error messages. The sofware version of my IAP is 8.5.0.5.
It may be possible to work around the error returned by the browser. But, I believe this issue should be resolved within the IAP. I would appreciate any comments or suggestions.