CODEWITHSUNDEEP
angularspring-bootcorspreflight
iManiac
iManiac

Reputation: 41

401 response for CORS preflight OPTIONS request to springboot server

Cross domain request from my angular app to a spring boot backend is blocked by CORS, only with POST, PUT. GET is allowed and working as expected.

Here is my config ..

Backend :

cors filter -

@Configuration
public class CORSConfiguration {

    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();

        corsConfiguration.setAllowCredentials(true);
        corsConfiguration.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
        corsConfiguration.setAllowedMethods(Arrays.asList("PUT", "POST", "GET", "DELETE", "OPTIONS"));
        corsConfiguration.setAllowedHeaders(Arrays.asList("Origin", "X-Requested-With", "X-Requested-By",
                "Content-Type", "Accept", "Authorization"));
        source.registerCorsConfiguration("/**", corsConfiguration);
        return new CorsFilter(source);
    }
}

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.cors().and()
                    .csrf().disable()
                    .authorizeRequests()
                    .antMatchers(HttpMethod.OPTIONS).permitAll()
                    .antMatchers("/*").authenticated().and()
                    .jee().mappableAuthorities("xxxxxxx");

    }
}

ng :

public postIT(payload: Data): Observable<Data> {
    return this.http.post<Data>(url, payload) , {
      withCredentials: true
    });
  }

Errors :

What am I leaving out here? Please let me know.

Upvotes: 1

Views: 1296

Answers (2)

iManiac
iManiac

Reputation: 41

The mistake I did was in the web.xml, in which OPTIONS was included in the <security-constraint> element.

Removed it from here and with the rest of the config as is, I no longer see the issue.

enter image description here

Upvotes: 2

Andrian Soluk
Andrian Soluk

Reputation: 474

Can you please try to replace "AllowedHeaders" with the following list:

"Access-Control-Allow-Credentials", "Content-Type", "Access-Control-Allow-Headers", "X-Requested-With", "Origin", "Accept"

Upvotes: 0

Related Questions