Reputation: 10790
Origin header value not allowed. Even though URL is allowed
I've looked at other questions on the site similar to this and despite doing those resolutions, my issue remains the same.
Side note, I also tried setHeader(clientOrigin)
I am using Spring Boot v1.2.7.RELEASE and The Spring Console is what is telling me that Origin Header Value not allowed. My client returns with a 403 forbidden.
CorsFilter
package app.config;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@Component
public class CorsFilter implements Filter {
private final Logger log = LoggerFactory.getLogger(CorsFilter.class);
public CorsFilter() {
log.info("SimpleCORSFilter init");
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String clientOrigin = request.getHeader("origin");
response.addHeader("Access-Control-Allow-Origin", clientOrigin);
response.setHeader("Access-Control-Allow-Methods", "POST, GET, DELETE, PUT");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Accept, Content-Type, Origin, Authorization, X-Auth-Token");
response.addHeader("Access-Control-Expose-Headers", "X-Auth-Token");
if (request.getMethod().equals("OPTIONS")) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(request, response);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
Request Header
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:JSESSIONID=BDD1655C91FD8DD73A8A0B021BFFC0E7
Host:192.168.1.66:8080
Origin:http://192.168.1.66:8105
Referer:http://192.168.1.66:8105/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Accept, Content-Type, Origin, Authorization, X-Auth-Token
Access-Control-Allow-Methods:POST, GET, DELETE, PUT
Access-Control-Allow-Origin:http://192.168.1.66:8105
Access-Control-Expose-Headers:X-Auth-Token
Access-Control-Max-Age:3600
Cache-Control:no-store, no-cache, must-revalidate, max-age=0
Content-Length:0
Date:Sat, 28 Nov 2015 23:49:56 GMT
Server:Apache-Coyote/1.1
The call I am trying to make is a SocketJS call and its a get call. The following script is being called.
var socket = new SockJS($scope.siteUrl+'/connect?TOKEN='+$localstorage.get('X-AUTH-TOKEN-TRIVIA'));
$scope.stompClient = Stomp.over(socket);
$scope.stompClient.connect({"Authorization":"TOKEN" }, function(frame) {
console.log('Connected: ' + frame);
stompClient.subscribe($scope.siteUrl+'/socketupdate', function(greeting){
$scope.activegame = JSON.parse(greeting.body).content;
});
});
As you can see, I am passing the token as a query string because for some strange reason SocketJS does not allow me to pass the X-AUTH-TOKEN via header.
My client server is however on a different port. I am building an app utilizing ionic which is a angular based framework.
I notice that the error comes from my WebSocketService
2015-11-29 03:22:32.417 WARN 33932 --- [nio-8080-exec-1] o.s.w.s.s.t.h.DefaultSockJsService : Origin header value 'http://192.168.1.66:8105' not allowed.
would this mean I have to set something in the WebSocketConfig that will accept this ??
Upvotes: 8
Views: 9572
Answers (3)
Reputation: 131
It's .setAllowedOriginPatterns("*") instead of .setAllowedOrigins("*") in Spring 5+ versions.. (I don't know when it was changed)
Upvotes: 3
Reputation: 21
Something I just found and I thought it might help someone. Your url must NOT have a "/" at the end.
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/chat")
.setAllowedOrigins("https://somewebsite.com/")
.withSockJS();
}
Doesn't work.
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/chat")
.setAllowedOrigins("https://somewebsite.com")
.withSockJS();
}
Works.
Upvotes: 2
Reputation: 191
in your WebsocketConfig.java
@Override
public void registerStompEndpoints(StompEndpointRegistry stompEndpointRegistry) {
stompEndpointRegistry.addEndpoint("/ws").setAllowedOrigins("*").withSockJS();
}
notice:
.setAllowedOrigins("*")
Upvotes: 19
Related Questions
- @CrossOrigin not working Spring Boot. How can I fix It?
- Use Spring Gateway and getting error: 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed
- Getting error: 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed
- Java - Spring Boot: Access-Control- Allow-Origin not working
- 'Access-Control-Allow-Origin' with spring boot
- Spring Boot + Security: No Access-Control-Allow-Origin header when setting allowed origins
- How to allow cross origin request with java spring
- Java Spring: No 'Access-Control-Allow-Origin' header is present on the requested resource
- @CrossOrigin not adding Access-Control-Allow-Origin Header
- No 'Access-Control-Allow-Origin' header is present on the requested resource.