KB-1011 "CORS origin denied <host> not on allowed list" error thrown when attempting to access Appian through a web server

Symptoms

When attempting to access Appian, users may sometimes find their site or parts of their site not working due to rejected Cross Origin Resource Sharing (CORS) requests. When using Apache web server configured with SSL and JBoss, users may be shown a 401 error page whenever attempting to log in to their Appian site on Chrome. In some scenarios, popups may not show when attempting to open objects in the Designer interface (/designer). CORS requests can also be rejected if the SAML authentication is enabled but IdP is not added to the Appian CORS origin list.

Relevant errors found in the application server log following the main error are given below:

INFO  [stdout] (ajp-/0.0.0.0:8009-1) javax.servlet.ServletException: CORS origin denied mycomputer.mydomain.com not on allowed list:[]
INFO  [stdout] (ajp-/0.0.0.0:8009-1)   at com.appiancorp.security.cors.CorsFilter.handleNormalRequest(CorsFilter.java:258)
INFO  [stdout] (ajp-/0.0.0.0:8009-1)   at com.appiancorp.security.cors.CorsFilter.doFilter(CorsFilter.java:249)

Cause

Each web browser has its own implementation and security layer. At some point in the normal operation of the browser at which the context/domain changes, Chrome will detect the change as a security issue and will fail to display content. Other browsers do not have constraints as strict as this although any CORS enabled browser is capable of throwing this error given the appropriate conditions.

For more information about CORS, refer to Telerik's article on CORS.

Action

CORS request rejections most commonly occur due to improper configuration of the custom.properties file and CORS origins.

  • Check the custom.properties file and make sure the conf.suite.SCHEME line matches the appropriate scheme (HTTP if not using SSL/HTTPS if using SSL) and the conf.suite.SERVER_AND_PORT line matches the computer’s hostname and includes a port if not using port 80 for HTTP or port 443 for HTTPS.
    Note: Do not add port 80 or port 443 to conf.suite.SERVER_AND_PORT as the port number is assumed to be either 80 or 443 based on the value of conf.suite.SCHEME.
  • Make sure all relevant origins are added to the Appian CORS origin list and any web server used must be configured to handle CORS requests.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: February 2017

Related
Recommended