CODEWITHSUNDEEP
javaspringspring-bootcorskeycloak
Imran
Imran

Reputation: 1902

Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response

SprinBoot keycloak auth swagger is blocked by the browser with message,

Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response

Access to fetch at 'http://localhost:8080/auth/realms/test/protocol/openid-connect/token' from origin 'http://localhost:8081' has been blocked by CORS policy: Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response.

This cors configs were added to spring boot app,
      cors: true
      cors-allowed-methods: GET,POST,HEAD,PUT,DELETE,OPTIONS
      cors-allowed-headers: x-xsrf-token

as well as, the client url http://localhost:8081 was added to Web Origins in keeycloak. Not sure what is still missing to get it work.

Upvotes: 0

Views: 2796

Answers (2)

Abhishek
Abhishek

Reputation: 87

Did you try using @CrossOrigin(origins="http://localhost:8081") on your controller class and repository class?

Also in conjuction to it : Try to add WebConfigurer Bean in you main SpringBoot Application class and annonate that too with @CrossOrigin(origins="http://localhost:8081")

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                System.out.println("here");
                registry.addMapping("/**").allowedOrigins("http://localhost:8081").allowedMethods("PUT", "DELETE" )
                .allowedHeaders("header1", "header2", "header3")
                .exposedHeaders("header1", "header2")
                .allowCredentials(false).maxAge(3600);;
            }
        };
    }

Please visit this link too for enabling CORS in your application server side.

Upvotes: 1

Romil Patel
Romil Patel

Reputation: 13787

You may use CorsConfiguration to set the allowed headers.

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().configurationSource(corsConfigurationSource());
    }

    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        List<String> allowOrigins = Arrays.asList("*");
        configuration.setAllowedOrigins(allowOrigins);
        configuration.setAllowedMethods(Collections.singletonList("*"));
        configuration.setAllowedHeaders(Collections.singletonList("*"));
        configuration.setAllowCredentials(true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

Upvotes: 0

Related Questions