João Mendes João Mendes - 1 month ago 5
reST (reStructuredText) Question

Circumventing web security limitations between two sites on the same server

I'm using Eclipse to develop an app that consists of an Angular 2 front end and a Java REST back end.

For the front end, I'm using the Angular CLI plugin, which starts the app by issuing an

ng serve
command to the CLI. This command sets up an http server on port 4200.

For the back end, I'm using an in-company framework that launches in Jetty within Eclipse in port 8088.

While both these ports are configurable, by nature of the frameworks and plugins in use, they'll always be distinct.

Authentication works via an OAuth2 service that is also deployed to port 8088, as part of the framework. This service sets a cookie which certifies the browser session as authenticated. I have verified that this service works correctly by testing it against a Swagger instance of the REST API (also running in 8088 as part of the same framework).

The problem is that when the browser is aimed at the Angular 2 app on :4200, its internal REST API requests to :8088 aren't carrying the authentication cookie. Presumably, this is because of cross-site protection.

Is there any way for the app or the framework to tell the browser that these two "sites" are actually part of the same system?

Alternatively, if I have to configure the dev browser (Chrome) to work, I can live with that too. However, I've tried the
--disable-web-security --user-data-dir
recommendation, but the cookie still doesn't show up on the requests.

Lastly, I have Apache installed on the dev machine. If I can set up appropriate vhosts and use it as a proxy so that the browser thinks it's all the same, that would probably work too. It would just be a matter of intercepting all
/swagger
and
/api
requests and sending them to :8088, and all forwarding all other requests to :4200. However, I've been banging my head against mod_rewrite and mod_proxy and haven't been able to come up with anything that works.

Answer

I think what you're looking for is

withCredentials = true

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials