DELETE method CORS issue in REST controller

Question

I have some REST endpoints in my project which I call from a client application in another server. I have successfully disabled CORS using the @CrossOrigin annotation, and all the methods work fine except the DELETE method which throws the following error on Chrome:

XMLHttpRequest cannot load http://localhost:8856/robotpart/1291542214/compatibilities. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:8888' is therefore not allowed access. The response had HTTP status code 403.

Here is my controller:

@CrossOrigin(origins = "*")
@ExposesResourceFor(RobotPart.class)
public class RobotPartController {
    // All endpoints are working except the DELETE mapping

    @GetMapping("/robotpart")
    public ResponseEntity<List<RobotPartResource>> listAllParts() {
        //..
    }

    @GetMapping("/robotpart/{id}")
    public ResponseEntity<RobotPartResource> getById(@PathVariable Integer id) {
        //..
    }

    @GetMapping("/robotpart/{id}/compatibilities")
    public ResponseEntity<Collection<RobotPartResource>> getRobotCompatibilities(@PathVariable Integer id) {
        //..
    }

    @PostMapping("/robotpart")
    public ResponseEntity<RobotPartResource> getById(@RequestBody @Valid RobotPart newRobot) {
        //..
    }

    @PutMapping("/robotpart/{id}")
    public ResponseEntity<RobotPartResource> modify(@PathVariable Integer id, @Valid @RequestBody RobotPart newRobot) {
        //...
    }

    @DeleteMapping("/robotpart/{id}")
    public ResponseEntity<RobotPart> deleteById(@PathVariable Integer id) {
        //...
    }
}

Any way around it?

Answer 1

Some of the previous answers have been very helpful, however, in my case (spring boot 2.7.4) I had to configure cors like this:

import static org.springframework.http.HttpMethod.*;

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.*;

@Configuration
@EnableWebMvc
public class CorsConfiguration implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry
                .addMapping("/**")
                .allowedMethods(
                        GET.name(),
                        POST.name(),
                        PUT.name(),
                        DELETE.name()
                );
    }
}

Answer 2

I found a solution, after analyzing HTTP requests, I noticed that the Access-Control-Allow-Methods header was missing the DELETE method, so I have added it by delete the @CrossOrigin annotation, and adding this bean to the configuration:

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurerAdapter() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry
                .addMapping("/robotpart/**")
                .allowedOrigins("*")
                .allowedMethods("GET", "POST", "PUT", "DELETE");
        }
    };
}

Answer 3

This is my CORS configuration, it may be helpful to somebody

@Bean
CorsConfigurationSource corsConfigurationSource() {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

    CorsConfiguration corsConfiguration = new CorsConfiguration().applyPermitDefaultValues();
    corsConfiguration.addAllowedMethod(HttpMethod.DELETE);
    corsConfiguration.addAllowedMethod(HttpMethod.PATCH);
    source.registerCorsConfiguration("/**", corsConfiguration);

    return source;
}

Answer 4

Adding to the answers above, the reason why disabling CORS won't work for DELETE (but works for GET and POST) is that this is the default behavior for the WebMvcConfigurer as stated here (highlighted in yellow):