WAB 2.1 authorizedCrossOriginDomains in config.json how to set

3262
11
08-09-2016 11:23 AM
DavidColey
Frequent Contributor

Hi - there is a json key value pair in the config for the WAB

"authorizedCrossOriginDomains": [],

Is this set the same way we set corsEnabledServers in the api e.g.

esriConfig.defaults.io.corsEnabledServers.push("agsdev.scgov.net");

Thanks-

David

Tags (1)
0 Kudos
11 Replies
RobertScheitlin__GISP
MVP Esteemed Contributor

David,

  You are correct. You can find this in the tokenUtils.js file addWithCredentialDomain function which gets called by the ConfigLoader.js

Here is an explanation from the config-readme.txt:

//Optional. Mostly, authorizedCrossOriginDomains stores portals and arcgis servers which use web-tier authentication, such as IWA/PKI/LDAP. If your app uses web-tier portal or arcgis server resources, please put its host(maybe with port) into authorizedCrossOriginDomains.

  "authorizedCrossOriginDomains": [],

DavidColey
Frequent Contributor

Thanks Robert.  I did see the config readme explanation, wasn't clear on the '(maybe with port)' part.  My web server is aliased and so wouldn't be included.  I have an async GP causing the xhtml cross-origin response issue.  When I included the value, that solved the cross-origin issue, but hosed my proxy's access to world_route, etc

0 Kudos
DavidColey
Frequent Contributor

sorry meant to say: "My web server is aliased and so a port number wouldn't be included, I think."

0 Kudos
ChrisPedrezuela
Occasional Contributor III

Hi guys, this might not be related to the original question, but I was trying to figure out how I can disable this cors check on our internal portal server since I think cors was not enabled on it. Whenever we connect wab dev 2.1 to this internal portal it throws an xmlhttprequest error and access-origin header not found. So I was thinking of disabling something in wab dev 2.1 config to not check if our portal is cors-enabled. hope you can help me understand this as well. thanks

0 Kudos
DavidColey
Frequent Contributor

I wish I could be of more help, but I'm struggling here as well.  Everytime our firewall rules change I have to deal with cors in some fashion.  On my desktop I run a _devChrome to get around cors while in dev.  At this point I am trying to specify my domains while still allowing access to secure layers and premimum services but haven't found a real solution

0 Kudos
RobertScheitlin__GISP
MVP Esteemed Contributor

David,

  I am not in your situation with premium services or issues with CORs so all I can advice you on is what I understand the code to be doing. Sorry.

0 Kudos
DavidColey
Frequent Contributor

Yes thanks Robert, I appreciate the feedback.  I'll of course post back what I can after I can develop a work session with our IT security group

0 Kudos
RobertScheitlin__GISP
MVP Esteemed Contributor

Thanos of Titan,

I believe the CORs check is built into the JS API and not something you can turn off.

0 Kudos
ChrisPedrezuela
Occasional Contributor III

I see, thanks Robert, I thought they just added that in starting at wab dev 2.0. If I use wab dev 1.3, no issues and works fine with our portal. That is why I was wondering if there was a different implementation of security running between wab dev 1.3 and 2.0. Were still on portal 10.3, not sure how to check if CORS is enabled for that portal server. Does the CORS have to be applied for both portal and ArcGIS server box? Could you point me to a documentation where this is discussed?

0 Kudos