Tuesday, January 07, 2014

HTTP CORS Access-Control-Allow-Methods

I spent a few frustrating hours last week trying to figure out why PUT requests to a littleware web service I'm developing failed with an "unauthorized" HTTP 403 error code. I was thrown off for a while, because I assumed there was an error in the authentication and authorization filter protecting the web service, but that code worked fine for GET and POST requests, and the PUT requests didn't even appear in the server logs.

Anyway - long story short - I finally realized that the CORS filter protecting the web service was denying PUT requests by default. Fortunately, the open-source filter I'm using makes it easy to add PUT requests to the 'Access-Control-Allow-Methods' HTTP header in the pre-flight response.

So happy ending - the code works, and on to the next problem. This kind of bug is so frustrating though - when I do something a little out of the ordinary (HTTP PUT) that breaks some little part of a system that I've completely forgotten about, because it always works fine, and time is lost tracking down some configuration change rather than fixing logic bugs in code. C'est la vie!

No comments: