CODEWITHSUNDEEP
springoauthspring-securityoauth-2.0cors
Wojtek Wysocki
Wojtek Wysocki

Reputation: 488

Add headers to oauth/token response (spring-security)

I would like to add custom headers to Oauth2 token response for my spring application. Specifically it involves CORS headers i.e. Access-Control-Allow-Origin... I have managed to add them to 401 responses but have no luck with 200 ones.

I have looked everywhere and debugged the project with no result. I have tried adding those headers through interceptor but response still does not contain them. Any ideas?

I'm using Spring security with annotation configuration.

I have asked similar question here: Allow OPTIONS HTTP Method for oauth/token request where you can check my spring configuration.

Upvotes: 0

Views: 5573

Answers (2)

Michael K.
Michael K.

Reputation: 2412

Use this Cors Filter (or maybe it works if you add the last lines of my version to your version) and you don't have the problem you mention in you other linked post!

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

public SimpleCorsFilter() {
}

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse response = (HttpServletResponse) res;
    HttpServletRequest request = (HttpServletRequest) req;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization");

    if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
        response.setStatus(HttpServletResponse.SC_OK);
    } else {
        chain.doFilter(req, res);
    }
}

@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void destroy() {
}

}

Upvotes: 3

Wojtek Wysocki
Wojtek Wysocki

Reputation: 488

It turned out I was using wrong method in my interceptor

for anyone interested, my working code is as follows:

return new AuthorizationServerConfigurer() {
...
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        ...
        endpoints.addInterceptor(new HandlerInterceptorAdapter() {

            @Override
            public boolean preHandle(HttpServletRequest hsr, HttpServletResponse rs, Object o) throws Exception {
                rs.setHeader("Access-Control-Allow-Origin", "*");
                rs.setHeader("Access-Control-Allow-Methods", "GET");
                rs.setHeader("Access-Control-Max-Age", "3600");
                rs.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
                return true;
                }
            });
        }
    }
}

Upvotes: 1

Related Questions