Four Stars

CORS preflight on REST service with HTTP basic authentication enabled

I have a REST service with basic HTTP authentication enabled and I want to access it from the browser (I tried using javascript XMLHttpRequest), but when I send a GET to the resource setting the authorization header it does first a preflight request with an OPTIONS verb that waits for a response with the header "Access-Control-Allow-Headers"  (among others) containing "Authorization" as one of the headers allowed for the GET verb.

I saw this post on previous talend forum suggesting to implement an OPTIONS verb with the same URI as GET and with these headers in the response. I have tested it successfully with basic HTTP authentication disabled (I simulated setting a different header on GET verb since authentication was disabled and it also sent the OPTIONS preflight). However, when I enable HTTP authentication again it is also applied to the OPTIONS verb and the authorization header is required for OPTIONS verb also, driving into a HTTP 401 Unauthorized error.


There is this JIRA ticket already opened for implementing CORS on tRestRequest. Is it related to this issue?

If so and while it is not solved, Is there any known workaround to access from the browser a REST service with HTTP authentication enabled?


Thanks in advance.


Best regards,



Re: CORS preflight on REST service with HTTP basic authentication enabled



This jira issue is about cross-origin resource sharing. During the pre-flight (OPTIONS) the browser is not using authentication.

This issue is still in process and we will keep you posted.

Best regards


Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.