Getting HTTP-403 connecting to OHS using CORS

We had a vanilla installation of Oracle HTTP Server (OHS) 12.1.3 and configured it to support CORS. On a new installation of OHS 12.2.1, the same behavior wasn't working.

What is CORS?

CORS is Cross-Origin Resource Sharing, and you can find an explanation of it here and here.

Essentially, it enables client-side code running in a browser in a particular domain to access resources hosted in another domain in a secure manner. Cross-origin requests are typically not permitted by browsers, and CORS provides a framework in which cross-domain requests are treated as same-domain requests.

For example, using CORS, JavaScript embedded in a web page can make an HTTP XMLHttpRequest to a different domain. This is used to send an HTTP or HTTPS request to a web server, and to load the server response data back into the script.

Configuring CORS with Oracle HTTP Server

This is typically done by adding the following to httpd.conf:

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

Problem Experienced: HTTP-403

To test whether this is functioning, simply execute a simple curl command against the service. In our case, even though the above settings were configured, we still received an HTTP-403:

oracle@soadev:/home/oracle> curl -XOPTIONS -I http://soadev:8888/HelloWorld
HTTP/1.1 403 Forbidden
Date: Wed, 26 Feb 2020 23:39:18 GMT
Server: Oracle-HTTP-Server
Content-Length: 236
Content-Type: text/html; charset=iso-8859-1

Resolution

1. Stop OHS:

export WEB_DOMAIN_HOME=/u01/oracle/domains/ohs_domain
$WEB_DOMAIN_HOME/bin/stopComponent.sh ohs1

2. Edit these two files:

vi $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/instances/ohs1/httpd.conf
vi $WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/httpd.conf

3. Comment out these lines, which are included by default in all OHS 12.2.1 installations:

#<IfModule mod_rewrite.c>
#    RewriteEngine on
#    RewriteCond %{REQUEST_METHOD} ^OPTIONS
#    RewriteRule .* . [F]
#</IfModule>

4. Start OHS:

$WEB_DOMAIN_HOME/bin/startComponent.sh ohs1 showErrorStack

5. Repeat this for all nodes in the OHS cluster.

Success!

oracle@soadev:/home/oracle> curl -XOPTIONS -I http://soadev:8888/HelloWorld
HTTP/1.1 200 OK
Date: Wed, 26 Feb 2020 23:42:04 GMT
Server: Oracle-HTTP-Server
Last-Modified: Wed, 26 Feb 2020 16:42:04 MST
X-ORACLE-DMS-ECID: 005bsCap_zu6uHIqyofd6G000EyQ000001
X-ORACLE-DMS-RID: 0:1
Allow: POST,OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type
Transfer-Encoding: chunked
Content-Type: application/vnd.sun.wadl+xml