Reputation: 451
CORS Preflight not sent to server
I have a Spring Boot app that uses Spring Security and Cors filter. Having a CorsFilter as below, I try to make a cross origin request
Axios.get("http://10.0.120.11:30500/user", { withCredentials: true })
.then((data) => console.log(data));
from a page hosted at http://localhost:8080 . However, the browser gives 401. Strange thing is that the browser doesn't send any preflight (OPTIONS) request.
@Configuration
@EnableWebMvc
public class CorsConfig {
@Bean
public CorsFilter corsFilter() {
List<String> list = new ArrayList<>();
list.add("*");
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowCredentials(true);
corsConfiguration.setAllowedHeaders(list);
corsConfiguration.setAllowedMethods(list);
corsConfiguration.setAllowedOriginPatterns(Arrays.asList("http://localhost:8080"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfiguration);
return new CorsFilter(source);
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf()
.disable()
.formLogin()
.disable()
.httpBasic()
.disable()
.exceptionHandling()
.authenticationEntryPoint(new LoginAuthenticationEntryPoint())
//.authenticationEntryPoint(new RestAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/",
"/error",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/login/**","/auth/**", "/oauth2/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.clientRegistrationRepository(getClientRegistrationRepository())
.authorizationEndpoint()
.authorizationRequestResolver(new CustomAuthorizationRequestResolver(getClientRegistrationRepository(),"/oauth2/authorize"))
.baseUri("/oauth2/authorize")
.authorizationRequestRepository(cookieAuthorizationRequestRepository())
.and()
.redirectionEndpoint()
.baseUri("/oauth2/callback/*")
.and()
.tokenEndpoint()
.accessTokenResponseClient(new CustomTokenResponseClient())
.and()
.userInfoEndpoint()
.userService(customOAuth2UserService)
.and()
.successHandler(oAuth2AuthenticationSuccessHandler)
.failureHandler(oAuth2AuthenticationFailureHandler);
// Add our custom Token based authentication filter
http.addFilterBefore(cookieAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
Upvotes: 0
Views: 779
Answers (1)
Reputation: 11561
Browser probably doesn't want to send a pre-flight request for a GET request.
Additionally, for HTTP request methods that can cause side-effects on server data (in particular, HTTP methods other than GET, or POST with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with the HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request.
Reference: Cross-Origin Resource Sharing (CORS)
Upvotes: 2
Related Questions
- CORS settings in Spring boot does not work
- Spring Boot CORS enable through configuration
- Spring Boot and CORS
- CORS in spring boot is not working - getting empty response
- Spring Boot CORS filter - CORS preflight channel did not succeed
- Spring Boot, CORS problem: Response to preflight request doesn't pass access control check: It does not have HTTP ok status
- [CORS][SpringSecurity] PreFlight request not handle
- CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status
- CORS problems with spring boot security
- CORS not working for Spring Boot application in combination with Spring Security