Reputation: 12181
Spring 4/5 global CORS configuration doesn't work giving `No 'Access-Control-Allow-Origin' header is present on the requested resource`
I am trying to login through http://localhost:3000 using HTTP `POST.
I am getting the following:
XMLHttpRequest cannot load http://localhost:8080/api/auth/login. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.
I have configured my Spring 5.0.0.M4 and Spring-Security 4.2.1.RELEASE application like that:
@SpringBootApplication
public class SpringBootApp extends WebMvcConfigurerAdapter {
private boolean workOffline = true;
private boolean setupSchema = false;
private IGraphService graphService;
private DbC conf;
@Autowired
public SpringBootApp(IGraphService graphService, DbC conf)
{
this.graphService = graphService;
this.conf = conf;
}
public static void main(String[] args) throws Exception {
SpringApplication.run(SpringBootApp.class, args);
}
@Bean
public Filter caseInsensitiveRequestFilter() {
return new CaseInsensitiveRequestFilter();
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:3000")
.allowedMethods("GET", "PUT", "POST", "DELETE","OPTIONS");
}
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:3000");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
}
I don't understand why global CORS configuration doesn't work even if it seems to be configured correctly.
I have attached the console and network tabs:
Upvotes: 2
Views: 2418
Answers (1)
Reputation: 12181
With help from dur . I spotted that http://github.com/svlada/springboot-security-jwt had added a WebSecurityConfig that was overriding my spring boot application configuration.
In the configure section of WebSecurityConfig I added cors() before anything else as following:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors()
.and()
.csrf().disable() // We don't need CSRF for JWT based authentication
.exceptionHandling()
.authenticationEntryPoint(this.authenticationEntryPoint)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point
.antMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
.antMatchers("/console").permitAll() // H2 Console Dash-board - only for testing
.and()
.authorizeRequests()
.antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() // Protected API End-points
.and()
.addFilterBefore(buildAjaxLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(buildJwtTokenAuthenticationProcessingFilter(), UsernamePasswordAuthenticationFilter.class);
}
Then I was getting an error for the corsFilter. The Bean needs to be of type CorsFilter but for me it was FilterRegistrationBean.
So I converted the Bean in my @SpringBootApplication class from
@Bean
public FilterRegistrationBean corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:3000");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
bean.setOrder(0);
return bean;
}
to:
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:3000");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
I also removed
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:3000")
.allowedMethods("GET", "PUT", "POST", "DELETE","OPTIONS");
}
I might have to move those configurations to a single place - favorably removing WebSecurityConfig altogether
Upvotes: 10
Related Questions
- Spring CORS No 'Access-Control-Allow-Origin' header is present
- Reason: CORS header ‘Access-Control-Allow-Origin’ missing / Spring Boot
- Spring Access-Control-Allow-Origins is not returned in the responses
- Spring Security CORS: Origin has been blocked by CORS Policy
- Header Access-Control-Allow-Origin:* not working properly on Spring MVC
- global cors configuration does not work in spring boot but indivisual @CrossOrigins work
- No 'Access-Control-Allow-Origin' header is present on the requested resource (Spring)
- CORS Spring Security configuration - 404 No 'Access-Control-Allow-Origin' header is present on the requested resource
- Spring Boot + Security: No Access-Control-Allow-Origin header when setting allowed origins
- Access-Control-Allow-Origin header not found after CORS filter added