What is Access Control Allow Origin and how to use CORS in Java Spring

When a javascript client tries to  consume data from another application or some resource on a server through a REST API, the server responds with a  Access-Control-Allow-Origin  response header to tell the client that the content of this page is accessible to certain origins. The origins can be any  client that sends a request to the server to fetch some resource. The clients that are allowed to access can also be specified. But by default, clients are not allowed to fetch the resource from the server.

This Access-Control-Allow-Origin  is a Cross Origin Resource Sharing (CORS) and the CORS filter must be implemented to send a response from the server while building RESTful Web Services.  The way this works is, when a client makes a request for a resource, it sends the Origin header in the request. The server validates this origin and decides to allow the request or not. If it decides  to allow, then it responds  with the Access-Control-Allow-Origin in the header and then upon receiving this, the browser  matches the origin and allows the request. If the browser finds that the origin matches, it allows the request to be completed, else it throws an error.

Here is an example of a GET request made to a REST service and the corresponding response given by the server. Here, the Origin matches the one mentioned by the server.

Request:

GET /test/test.json  HTTP/1.1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) Gecko/
Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: application/json
Origin: http://examplesite.com

Response: 

HTTP/1.1 200 OK
Content-Type: Application/json;character-set=UTF-8
Date: Sun,  30 Aug 2015
Server:Apache-coyote/1.1
Access-Control-Allow-Origin:  http://examplesite.com

Thus, the request is allowed in the above case. If your server should allow requests from all origins, then you can set:
Access-Control-Allow-Origin: “*”

Here the “*” indicates all origins to be allowed to complete their request.

If you are building a REST service in spring, you can create a simple or complex CORS filter. This filter will then help your server respond to request accordingly. Following is a simple program given by the Official Spring Documentation, which allows all origins to access a resource from your server.

package hello;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;

@Component
public class SimpleCORSFilter implements Filter {

	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
		HttpServletResponse response = (HttpServletResponse) res;
		response.setHeader("Access-Control-Allow-Origin", "*");
		response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
		response.setHeader("Access-Control-Max-Age", "3600");
		response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
		chain.doFilter(req, res);
	}

	public void init(FilterConfig filterConfig) {}

	public void destroy() {}

This Program allows any kind of origin to  send  GET, POST, OPTIONS and DELETE requests  and serves them accordingly. The Access-Control-Max-Age field makes sure that the access control is alive for 1 hour or 3600 seconds.

Without setting the CORS filter, any client , be it a web front end built using AngularJS or a simple JavaScript client will not be able to fetch the data. and you might get an error thrown by he browser.

Source: Spring Documentation 1, Spring Documentation 2, StackOverFlow

Advertisements

Attendence.gov.in : my technical perspective!

Attendance.gov.in is an online  biometric Attendance System launched by the Indian Government to  have a transparent view on the work ethics of Government employees. This is one of the projects undertaken by the prime minister of India Shri Narendra Modi.

The website looks fabulous compared to earlier government websites. Its responsive and provides a good amount of data for the public to view. But, there are claims to this website leading to hanging of the computer or sometimes the browser and  the coding of the website being of inferior quality. So, I  spent time going through the website , to find evidence of either a bad execution  or a bad user experience.

So, during my  entire  session viewing the website, neither the website nor the system hanged. It was working completely normal and it didn’t provide any lag of signs of hanging when i tried multitasking with this website opened on 2 different browsers.  The website is programmed to fetch data from the server every 8 seconds so that, the data displayed is updated to almost real time. But I found that  on an average, the data was being refreshed every 2 to 20 seconds and the changes in the numbers were reflected on the graph accordingly.

Websites use AJAX to create asynchronous websites. The concept behind an asynchronous websites is that, the website shows changes dynamically when the server system changes its state and the change is reflected in the users browser without the need for the user to have some kind of an interaction with the website.  Now there is code in this website where ajax is used but its effect is nullified by using async: false (screenshot below)  , So this beats the whole point of using ajax.

blogpost1attendance
l
ink to this source code : here

There  is also evidence that, some of the charts used in the website  has data hard coded using JS. And yes, its true (screenshot below).

attendance2

link to source code: here

So with this, the question arises,  will the data be manually updated every time?or is it just dummy data?
I think, its not dummy data because, this data has changed since the last time, indicating that this data is manually updated. Now, there might be a better way to update data that relatively stays same for a long period of time but i don’t know of any.

I don’t think its fair to say that, we haven’t used the best programmers available to carry out a much better job of getting this site up and running. I mean, healthcare.gov project under the Obama administration, clearly had the best of the people building it but failed miserably the first time but it recovered. So, I think we are at a better state than that and can always strive to achieve better.

To conclude, being an ambitious project there might be certain areas, where it lacks to be a website built with high standards. But as a layman, it provides me with a way to have more transparency with the working of government and beginning of an era of online information sharing in India, and that is why I am extremely exited about this.

WAARTAA : web based IRC client

You may be satisfied with IRC clients like Pidgin, Xchat, mIRC or any other, But now there is a reason for you to change that. Its the new web based IRC client “WAARTAA”. Its got a beautiful UI and appeals instantly to anyone who uses it.

waartaa” is a hindi word which means to communicate, and its apt because its the reason why it was made.
Opensourced under the MIT Licence, this is one amazing project worth giving a try. It is very user friendly ,has a beautiful and bold user interface and very easy to join channels or even create your own IRC server.Being a web based IRC cliesnt as a service it facilitates centralized logging, idling functionality, unique identification across multiple clients.

It is built on the meteor platform. its written in meteor JS and it uses mongoDB and It has also incorporated node-irc which is an IRC client libraary written in JavaScript for Node and also uses a host of meteorite apps.

The User Interface

       waartaa3
(click on image to get a better view)

The Options

waartaa1         waartaa2

Selection_006           Selection_007

 

 

Installation procedure as a local application can be found here.

The question that may arise is why another IRC client when there already exist so many of them?
Well, waartaa has a tons of things to offer that you may have wished were present in existing clients:

  •       while GUI clients work only for single machines, waartaa on a better infrastructure will ensure
    that the user is always connected to IRC while it also captures IRC logs.
  •       It also preovides a central place to store all the chat logs
  •       No matter what device you login from to Waartaa, YOU are always YOU in the IRC and not some
    YOU_, YOU__, etc. which means the it can identify you when you are logged in from multiple devices simultaneously.
  •       Being a web service, it runs flawlessly on the browser of any device making your experience comfortable

Sourcecode available HERE.

Installation tutorial and procedure for waartaa here.
Waartaa is not yet deployed and will  soon be , but as of now you can run it locally as of now and try it out. The sourcecode and the setup instructions can be download from the github page.
So fork it and customize it as you want your client to look like. So do try it out, this might  just be the thing you always wanted.