«Недопустимый запрос CORS» наблюдается только в запросе PUT, когда есть заголовок источника. Он отлично работает на всех других глаголах, например: GET.
Включено использование вики: Включение CORS для API , а также на уровне API: /usr/lib64/wso2/wso2am/2.6.0/repository/deployment/server/synapse-configs/default /api/admin--Restricted_v1.0.0.xml
PUT API:
curl -v 'https://api.mycompany.com/restricted/1.0.0/A/ba56bf80-9678-11e9-8508-0242ac110003' -XPUT -H 'Accept: application/json, text/plain, */*' -H 'Referer : http://local.mycompany.com:4200/B/' -H 'Origin : http://local.mycompany.com:4200' -H "Authorization : Bearer <WSO2_ACCESS_TOKEN>" -H "MYCOMPANY_AUTH : <CUSTOM_AUTH_TOKEN>" -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' -H 'Content-Type: text/plain' --data-binary '{"ruleId":"ba56bf80-9678-11e9-8508-0242ac110003","created":"2019-06-24T15:43:53.289Z","context":"TM","version":3,"name":"e2e-testing-rule","author":"System Admin","description":"some description","expression":"a>b","category":"ABC","score":"121","labels":["1","2","3"]}' --compressed
ОТВЕТ: Неверный запрос CORS
ГОЛОВКИ ОТВЕТА:
* We are completely uploaded and fine
< HTTP/2 403
< date: Thu, 27 Jun 2019 04:43:34 GMT
< content-type: application/octet-stream
< x-frame-options: DENY
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< access-control-allow-origin: *
< access-control-allow-methods: PUT
< x-content-type-options: nosniff
< vary: Access-Control-Request-Headers
< vary: Access-Control-Request-Method
< vary: Origin
< expires: 0
< pragma: no-cache
< x-xss-protection: 1; mode=block
< access-control-allow-headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,mycompany_auth,Accept-Encoding,Host,Content-Length,accept,referer,origin,user-agent,content-type
GET API:
curl -v -H "accept: */*" -H "Authorization : Bearer <WSO2_ACCESS_TOKEN>" -H "MYCOMPANY_AUTH : <CUSTOM_AUTH_TOKEN>" -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' -H 'Content-Type: text/plain' https://api.mycompany.com/restricted/1.0.0/A/ba56bf80-9678-11e9-8508-0242ac110003 | jq .
ОТВЕТ: действительный ответ JSON
ГОЛОВКИ ОТВЕТА:
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Thu, 27 Jun 2019 04:38:50 GMT
< content-type: application/hal+json;charset=UTF-8
< x-frame-options: DENY
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< access-control-allow-origin: *
< access-control-allow-methods: GET
< x-content-type-options: nosniff
< vary: Access-Control-Request-Headers
< vary: Access-Control-Request-Method
< vary: Origin
< expires: 0
< pragma: no-cache
< x-xss-protection: 1; mode=block
< access-control-allow-headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,mycompany_auth,Accept-Encoding,Host,Content-Length,accept,referer,origin,user-agent,content-type
Поскольку вызовы GET работают, неясно, что было пропущено в вызове PUT! Есть указатели?