JAX-RX - Blocked by CORS policy: Method PATCH is not allowed by Access-Control-Allow-Methods in preflight response

Question

I am using Spring boot with Jersey 2.1

and Ionic to develop an App, I've tried every single post I've found but none solved this problem for me the error I am getting, including those which say about creating the @PATCH interface annotation yourself.

So, the thing is I am getting this error on the client side when testing on the browser when doing a PATCH request:

Access to XMLHttpRequest at '' from origin 'http://localhost:8100' has been blocked by CORS policy: Method PATCH is not allowed by Access-Control-Allow-Methods in preflight response.

The filters I have for the response is the following, I don't understand why I'm getting this if I have PATCH as an allowed method and it works perfectly on Postman:

Filter:

@Provider
public final class ResponseFilter implements ContainerResponseFilter {

    @Override
    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
        MultivaluedMap<String, Object> headers = responseContext.getHeaders();

        headers.putSingle("Accept-Patch", "*");
        headers.putSingle("Access-Control-Allow-Origin", "*");
        headers.putSingle("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE, PATCH");
        headers.putSingle("Access-Control-Allow-Credentials", "true");
        headers.putSingle("Access-Control-Max-Age", "3600");
        headers.putSingle("Access-Control-Allow-Headers", "Content-Type, Accept, Authorization");
    }
}

Method which uses PATCH:

import javax.ws.rs.PATCH;


@PATCH
    @Path("/{username}")
@Produces(MediaType.APPLICATION_JSON)
    public Response actualizarPassword(@Valid @NotNull(message = "user must not be null") final UserDTO userDTO,
                                      @PathParam("username") final String username,
                                      @QueryParam("codigo") @NotNull(message = "codigo musnt be null") final String codigo) {
        userDTO.setUsername(username);
        this.usersService.actualizarPassword(this.userDTOMapper.map(userDTO), codigo);

        return Response.noContent().build();
    }

As I said, I also tried to create an annotation with PATCH as I read in some answers but this http method is supposed to be included on Jersey 2.1 and it indeed is as it can be see in the previous piece of code, the interface I created was:

@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@HttpMethod("PATCH")
public @interface PATCH {
}

And if I do a POSTMAN request, these are the headers I get:

Accept-Patch →*
Access-Control-Allow-Origin →*
Access-Control-Allow-Methods →POST, PUT, GET, OPTIONS, DELETE, PATCH
Access-Control-Allow-Credentials →true
Access-Control-Max-Age →3600
Access-Control-Allow-Headers →Content-Type, Accept, Authorization
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Content-Type →application/json
Content-Length →54
Date →Wed, 07 Nov 2018 07:46:45 GMT

And incase it's somehow related, this is my SpringSecurity config:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().anyRequest().permitAll()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable();
    }

    @Override
    public void configure(WebSecurity web ) throws Exception
    {
        web.ignoring().antMatchers( HttpMethod.OPTIONS, "/**" );
    }
}

UPDATE 1

I've printed the code that the response has and I get a 200. However, I keep getting this error.

UPDATE 2

As requested by sideshowbarker, I made an OPTIONS request with POSTMAN and this is the headers:

Allow →HEAD,GET,OPTIONS,PUT,PATCH
Last-modified →Wed, 07 Nov 2018 10:07:57 GMT+01:00
Accept-Patch →*
Access-Control-Allow-Origin →*
Access-Control-Allow-Methods →POST, PUT, GET, OPTIONS, DELETE, PATCH
Access-Control-Allow-Credentials →true
Access-Control-Max-Age →3600
Access-Control-Allow-Headers →Content-Type, Accept, Authorization
Content-Type →application/vnd.sun.wadl+xml
Content-Length →1165
Date →Wed, 07 Nov 2018 09:07:57 GMT

UPDATE 3

I checked the headers in dev tools as suggested by and the PATCH method isn't there. Why is this? Why is it there if I use POSTMAN but not with my Ionic App?

Please help, I've been struggling with this for days...

Thanks

Answer 1

Okay I am so idiot that I can't even believe it myself. I was using [this plugin for Chrome] 1

which was modifying the headers from the response. Noticed it thanks to @sideshowbarker . It's such an idiot thing but that I bet it might happen to other people too.

Thanks alot @sideshowbarker.

Answer 2

I had same issue as well. I had a chrome CORS plugin enabled for CORS, and seems it's modifying the header before making a request. Disabling it just worked, such a blunder :)