CODEWITHSUNDEEP
springauthenticationoauthcorsjhipster
jvence
jvence

Reputation: 417

Unauthorized Error when using jHipster oAuth despite CORS

I am running a jHipster instance with oAuth authentication and CORS enabled on the server. I've added the following bean:

@Bean
public CorsFilter corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.setAllowedMethods(Arrays.asList(new String[]{"GET", "PUT", "POST", "DELETE", "OPTIONS"}));
    source.registerCorsConfiguration("/api/**", config);
    source.registerCorsConfiguration("/v2/api-docs", config);
    source.registerCorsConfiguration("/oauth/**", config);
    return new CorsFilter(source);
}

and added .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll() to ResourceServerConfiguration configuration.

When I attempt to authenticate a user (using jHipster running on a server) from an app running locally on a browser, I get: Request Method:OPTIONS - Status Code:401 Unauthorized

It seems CORS is not configured properly to handle pre-flight authentication POST requests.

I've tried to implement some solutions proposed at Spring Data Rest and Cors and Spring Data Rest and Cors to no avail.

Is this something specific that can be done in jHipster to enabled authentication to work from a browser or app (not running on the jhipster server)?

Upvotes: 3

Views: 1378

Answers (1)

i_raqz
i_raqz

Reputation: 2959

I uncommented lines of CORS

cors: #By default CORS are not enabled. Uncomment to enable.
    allowed-origins: "*"
    allowed-methods: GET, PUT, POST, DELETE, OPTIONS
    allowed-headers: "*"
    exposed-headers:
    allow-credentials: true
    max-age: 1800

Added in SecurityConfiguration

            **.antMatchers(HttpMethod.OPTIONS, "/**")**
@Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, "/**")
            .antMatchers("/scripts/**/*.{js,html}")
            .antMatchers("/bower_components/**")
            .antMatchers("/i18n/**")
            .antMatchers("/assets/**")
            .antMatchers("/swagger-ui/index.html")
            .antMatchers("/api/register")
            .antMatchers("/api/activate")
            .antMatchers("/api/login/**")
            .antMatchers("/api/account/reset_password/init")
            .antMatchers("/api/account/reset_password/finish")
            .antMatchers("/test/**");
    }

And it has been working so far.

Upvotes: 5

Related Questions