OnlyJSONRequests disables AccessControlAllowed?

jrvoorhorst · 2014-06-11 08:58:06

Hello,

when I do this settings:

HTTPServer.OnlyJSONRequests := True
FHTTPServer.AccessControlAllowed := '*'

The AccessControlAllowed does not work any more, from AJAX it is not possible to get the info. We get an error: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://oursite.nl' is therefore not allowed access.

When I set OnlyJSONRequests to False, it works OK.

Is there anybody who knows more about this behaviour?

jrvoorhorst · 2014-06-11 09:47:43

I found the problem. My customer's web app is sending multiple content types. So it seems it is better to change the Request function a little:

function TSQLHttpServer.Request(Ctxt: THttpServerRequest): cardinal;
var call: TSQLRestURIParams;
    i: integer;
    P: PUTF8Char;
begin
  if (Ctxt.URL='') or (Ctxt.Method='') or
     (OnlyJSONRequests and
      not ContainsUTF8(pointer(Ctxt.InContentType),'APPLICATION/JSON')) then     //IdemPChar -> ContainsUTF8 to check for matching part of content type
      begin
    // wrong Input parameters or not JSON request: 400 BAD REQUEST
    result := HTML_BADREQUEST end else

ab · 2014-06-11 18:30:13

If your application is setting multiple content types, why not just set OnlyJSONRequests := false ?

What is the exact content type which did not match application/json ?

jrvoorhorst · 2014-06-12 08:00:58

Hi,

the reason to enable this option is to prevent viewing the dataset from normal browser session.

The main reason we use mormot at this moment is to do advanced processing in services added to the rest server. If possible I would also prevent showing the tables content (CRUD) via REST, to have only the custom services published, but not my table contents. Is that possible? We have build an advanced uploader API based on a service:

    FRESTServer.ServiceRegister(TUploader,[TypeInfo(IUploader)],sicSingle);

The best practice for this application should have only this TUploader service published, but not my table contents.

regards!

Last edited by jrvoorhorst (2014-06-12 08:01:56)

ab · 2014-06-12 08:41:31

You can prevent access from browser using explicit authentication of users.
If the client did not start a session with a valid user name and password, it won't have access to the services.

You can prevent CRUD access of tables by setting the TSQLAuthGroup.AccessRights property.
See the SAD 1.18 pdf about ORM security.

You are perfectly right: pure SOA approach is preferred than remote ORM access.
It is much more compliant with DDD best practices, for instance.

BTW, what is the exact content type which did not match 'application/json' ?

jrvoorhorst · 2014-06-12 08:57:26

Thanks for your reply. The built in authentication cannot be used since the server is accessed from external Ajax enabled web app.

So I found a way which works for me now, I override the TSQLHttpServer object to TMySQLHttpServer and then override the Request function to TMySQLHttpServer.Request.
I added extra checks to that overridden Request function to only allow calling my TUploader service.

It is not a very nice solution, but that way I can do it without modifications to the mormot source.

ab · 2014-06-12 09:33:55

Weak authentication can be easily used from rest.

mORMot Open Source

#1 2014-06-11 08:58:06

OnlyJSONRequests disables AccessControlAllowed?

#2 2014-06-11 09:47:43

Re: OnlyJSONRequests disables AccessControlAllowed?

#3 2014-06-11 18:30:13

Re: OnlyJSONRequests disables AccessControlAllowed?

#4 2014-06-12 08:00:58

Re: OnlyJSONRequests disables AccessControlAllowed?

#5 2014-06-12 08:41:31

Re: OnlyJSONRequests disables AccessControlAllowed?

#6 2014-06-12 08:57:26

Re: OnlyJSONRequests disables AccessControlAllowed?

#7 2014-06-12 09:33:55

Re: OnlyJSONRequests disables AccessControlAllowed?

Board footer