Forum Stats

  • 3,873,041 Users
  • 2,266,499 Discussions


Oracle Jet Call Authenticated ADF Rest Using Ajax CORS ERROR

I have two applications

1- ADF BC Rest Services Application and ADF Security is applied,

2- Oracle JET Application

I have called a login service from adf app using username and password and it returns JSESSIONID, which i saved on cookie to use it again to call rest services without username and password.

i used this ajax call on the second call :


        type: "GET",

        url: "",

        contentType: "application/",

        crossDomain: true,

        headers: {

          "Cookie": "JSESSIONID=" + app.getCookie("SID"),


        success: function (data) {



        error: function (xhrtextStatuserrorThrown) {




But it returns these errors:

  • Refused to set unsafe header "Cookie"
  • has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

I have enabling cors on adf web.xml.

So i Don't know how to solve this.

I just need to know how call authenticated rest using jsessionid ?



  • DaveArch
    DaveArch Member Posts: 125 Red Ribbon

    You will need to try a couple of things and also, browser providers have recently tightened up on cross-site scripting so you may have to also implement a tighter solution in your ADF back-end:

    In your AJAX call, try adding

    xhrFields: {
                'withCredentials': true

    This will ensure the browser posts the cookies even though it's cross site.

    In addition, If you are using a JET component that queries the data for you, you can override the JET ajax function to pass the credentials.

          oj.ajax = function (ajaxOptions) {
            // DA: Set the withCredentials attribute so that the cookie gets sent with the request for the domain
            // in a cross-site scenario. This is for when we develop and the source domain is localhost and the services
            // are running
            ajaxOptions.xhrFields = {
              'withCredentials': true
            // DA: Chrome going to implement tighter restrictions around cross-origin requests in Apr-2020
            //     Currently a warning is shown in Chrome when accessing REST end-points:
            //     "A cookie associated with a cross-site resource at http://<host>/ was set without the `SameSite` attribute."
            //     Going to have to deal with this at some point.  Will involve sending back samesite attribute from CORS filter
            // Move on to normal jQuery ajax() call
            return $.ajax(ajaxOptions);

    Note my comments above about tightening up of browser security so depending on what browser version you are using the browser may still refuse the server response if it is not correct.

    Following this, if you have confirmed the JSESSION id cookie is being sent in the request, and your CORS filter in your ADF app is adding the correct cross-site headers in the response and the browser is still blocking the resource, you will need to change your CORS filter to include the same-site headers to cater for the recent change in browser security.

    For development purposes, some browsers allow you to turn off same-site checking for CSS however I would not recommend this unless you are working in a controlled environment and know what you are doing.

    John 'JB' Brock-Oracle