Java Spring: No 'Access-Control-Allow-Origin' header is present on the requested resource

Question

I am trying to hack around on a project that requires CORS. When I request the Java Spring Rest API, I receive:

No 'Access-Control-Allow-Origin' header is present on the requested resource

My stack is quite simple. I am using Java Spring with Tomcat. On the front end, I am making the request with jquery.

I do not see any logs from Spring regarding this and haven't seen any action in the threads shown in the debugger for the java spring application (making it really hard to debug where this is being blocked).

As far as my spring resource class, Ive included the cross origin annotation (@CrossOrigin()) on top of the class. Ive also tried putting that same annotation on the methods for the resource as well (without any luck). As a long shot, I also tried putting in some configuration within a new web.xml file to configure a CORS filter the old fashioned way:

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
    <init-param>
        <param-name>cors.support.credentials</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.preflight.maxage</param-name>
        <param-value>10</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The last detail that I would like to add is that when I make a non-CORS request to the previously mentioned APIs (with CORS annotations on them), I do not see any headers returned that are related to allowing all or any specific origin. This makes me wonder if the annotations are being blocked by something.

I realize that without much code and logs, the community cant really help me. I am asking for guidance on how I can debug this. Thank you for helping!

Answer 1

spring version conflict is causing this for you. You may want to check the versions. if versions are not an issue add a class like this.

@Component
public class MyCORSFilter implements Filter {

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
    response.setHeader("Access-Control-Allow-Credentials", "true");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");
chain.doFilter(req, res);
}

@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void destroy() {
}

}

Answer 2

There is a simpler way to verify. You can use the postman or open the F12 developer tool to see the response body of the request(Request with non CORS). If the Response header has access-control-allow-origin:*, it means the setting is successful, and then check if there is an OPTION request, because the browser will not directly request the request, but will Send an OPTION request to see if the site supports CORS. If the OPTION request is indeed sent, if the response code of this request is not 200, it will cause CORS failure, so you only need to respond to this OPTION request correctly.