We are doing some testing on play framework. I disabled CORS in the conf file
play.filters.disabled += “play.filters.csrf.CSRFFilter”
and when I run curl commands it works. However Chrome sends
Sec-Fetch-Mode: cors and I am unable to set turn it off and Play rejects/does not accept the call. Is there any way to change the configuration to accept the call regardless of what’s passed from the browser ?
You did not disable CORS, you disabled CSRF. If you want to disable the CORS filter use:
play.filters.disabled += "play.filters.cors.CORSFilter"
Or you can completly disable the module(s) as well:
play.modules {
disabled += "play.filters.cors.CORSModule"
// same with CSRF module:
disabled += "play.filters.csrf.CSRFModule"
}
1 Like
Can’t thank you for the help. That works now.
Mean to say Can’t thank you enough - not Can’t thank you 
1 Like
Hi Mathias.
I did the following. I do have a valid certificate - mobile.pm2c.net.
However play complains
Using generated key with self signed certificate for HTTPS. This should NOT be used in production.
How do I fix this ?
Thank you
Where do you have this certificate? I mean did you configure Play to use it or is there nginx or something in between?
How do you run Play? Are you sure you run it in production mode
Hi Matthias,
AWS issued the certificate. If I use curl commands or in the browser it works. We are working with an external provider. They are using react local server.
The command I am using is
mobile-1.0/bin/mobile -Dhttps.port=443 -Dconfig.file=mobile-1.0/conf/application.conf -Dlogger.resource=logback.xml -Duser.timezone=GMT > app.out &
application.conf has the following related to CORS …
play.filters.hosts.allowed = ["."]
disable csrf for curl testing
play.filters.disabled += “play.filters.csrf.CSRFFilter”
play.filters.disabled += “play.filters.cors.CORSFilter”
play.http.secret.key= …
Thank you
Hi Mathias
AWS issued the certificate for pm2.net and we are using a load balancer. I see the following message in the backend with logging turned on
Using generated key with self signed certificate for HTTPS. This should NOT be used in production.
2021-05-11 07:26:33,144 - [INFO] - from play.core.server.AkkaHttpServer in main
Enabling HTTP/2 on Akka HTTP server…
2021-05-11 07:26:33,147 - [INFO] - from play.core.server.AkkaHttpServer in main
Listening for HTTP on /0:0:0:0:0:0:0:0:9000
2021-05-11 07:26:33,150 - [INFO] - from play.core.server.AkkaHttpServer in main
Listening for HTTPS on /0:0:0:0:0:0:0:0:443
Seems like play server is using a “self generated key” How do I make it to use the production SSL certificate we have from AWS ?
Thank you
Looking at play documentation I see the following at
https://www.playframework.com/documentation/2.4.x/ConfiguringHttps
Seems to suggest
- play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
-
play.server.https.keyStore.type - The key store type, defaults to
JKS - play.server.https.keyStore.password - The password, defaults to a blank password
- play.server.https.keyStore.algorithm - The key store algorithm, defaults to the platforms default algorithm
Is this the issue ? If so how should add these conf file ?
Thank you.
I ran the command I saw on your website
openssl s_client -showcerts -connect mobile.pm2c.net:443
and I see a response something like …
C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
Seems like a valid SSL certificate. How do I make Play server us it ?
Thank you
Thank you.
Hi Mathias
seems like whitelisting one URL from the same client is working. Isn’t whitelist for the client as a whole instead of a particular URL ?
Hi Mathias,
Here’s what we ended up adding in application.log in addition to filter and login works.
play.filters.cors.allowedOrigins = [“http://localhost:3000”]
play.filters.cors.pathPrefixes=["/api/v1/advertisers/login"]
play.filters.disabled += “play.filters.csrf.CSRFFilter”
play.filters.disabled += "play.filters.cors.CORSFilter
Any ideas as to why this works ? I don’t see why
play.filters.cors.allowedOrigins = [“http://localhost:3000”]
this makes a difference we can remove it. Do you know why we need to whitelist the Origins ?