How to configure CORS in a Spring Boot Spring Security application

Question

I use Spring Boot with Spring Security and Cors Support    If I execute following code   url    http   localhost 5000 api token  xmlhttp   new XMLHttpRequest xmlhttp onreadystatechange   - gt      if xmlhttp readyState is 4         console log xmlhttp status xmlhttp open  GET   url  true   xmlhttp setRequestHeader  X-Requested-With    XMLHttpRequest  xmlhttp setRequestHeader  Authorization    Basic     btoa  a a  do xmlhttp send   I get as a result  200   If I test with wrong credentials like  url    http   localhost 5000 api token  xmlhttp   new XMLHttpRequest xmlhttp onreadystatechange   - gt      if xmlhttp readyState is 4         console log xmlhttp status xmlhttp open  GET   url  true   xmlhttp setRequestHeader  X-Requested-With    XMLHttpRequest  xmlhttp setRequestHeader  Authorization    Basic     btoa  a aa  do xmlhttp send   instead of getting 401  that is the standard code for wrong authentication in spring security  I get  0   with following browser notification   GET http   localhost 5000 api token  XMLHttpRequest cannot load http   localhost 5000  No  Access-Control-Allow-Origin  header is present on the requested resource  Origin  http   localhost 3000  is therefore not allowed access  The response had HTTP status code 401   I m developing front-end code that needs useful http status codes from server responses to handle the situation  I need something more useful than 0  Also the response body is empty  I dont know if my config is wrong  or it s a software bug and I also don t know where  if it s chromium  using arch linux  or spring security   My Spring Config is    SpringBootApplication public class Application       public static void main String   args            SpringApplication run Application class  args             RestController  RequestMapping  api   public class Controller        RequestMapping  token        CrossOrigin     Map lt String  String gt  token HttpSession session            return Collections singletonMap  token   session getId               EnableWebSecurity public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter        Override     protected void configure AuthenticationManagerBuilder auth  throws Exception           auth inMemoryAuthentication   withUser  a   password  a   roles  USER               Override     protected void configure HttpSecurity http  throws Exception           http                  authorizeRequests                    requestMatchers CorsUtils  isPreFlightRequest  permitAll                    anyRequest   authenticated                    and   httpBasic              If I test with curl everything works perfect  I think because no CORS support needed  but I tried to simulate the CORS with OPTION requests and the result was also ok     curl -v localhost 5000 api token -H  Authorization  Basic YTpha      Trying   1      Connected to localhost    1  port 5000   0   gt  GET  api token HTTP 1 1  gt  Host  localhost 5000  gt  User-Agent  curl 7 48 0  gt  Accept       gt  Authorization  Basic YTpha  gt    lt  HTTP 1 1 200 OK  lt  Server  Apache-Coyote 1 1  lt  X-Content-Type-Options  nosniff  lt  X-XSS-Protection  1  mode block  lt  Cache-Control  no-cache  no-store  max-age 0  must-revalidate  lt  Pragma  no-cache  lt  Expires  0  lt  X-Frame-Options  DENY  lt  Access-Control-Allow-Origin  http   localhost 3000  lt  Access-Control-Allow-Methods  POST GET OPTIONS DELETE  lt  Access-Control-Max-Age  3600  lt  Access-Control-Allow-Credentials  true  lt  Access-Control-Allow-Headers  Origin Accept X-Requested-    With Content-Type Access-Control-Request-Method Access-Control-Request-Headers Authorization  lt  x-auth-token  58e4cca9-7719-46c8-9180-2fc16aec8dff  lt  Content-Type  application json charset UTF-8  lt  Transfer-Encoding  chunked  lt  Date  Sun  01 May 2016 16 15 44 GMT  lt     Connection  0 to host localhost left intact   token   58e4cca9-7719-46c8-9180-2fc16aec8dff     and with wrong credentials     curl -v localhost 5000 api token -H  Authorization  Basic YTp      Trying   1      Connected to localhost    1  port 5000   0   gt  GET  api token HTTP 1 1  gt  Host  localhost 5000  gt  User-Agent  curl 7 48 0  gt  Accept       gt  Authorization  Basic YTp  gt    lt  HTTP 1 1 401 Unauthorized  lt  Server  Apache-Coyote 1 1  lt  X-Content-Type-Options  nosniff  lt  X-XSS-Protection  1  mode block  lt  Cache-Control  no-cache  no-store  max-age 0  must-revalidate  lt  Pragma  no-cache  lt  Expires  0  lt  X-Frame-Options  DENY  lt  WWW-Authenticate  Basic realm  Realm   lt  Content-Type  application json charset UTF-8  lt  Transfer-Encoding  chunked  lt  Date  Sun  01 May 2016 16 16 15 GMT  lt     Connection  0 to host localhost left intact   timestamp  1462119375041  status  401  error   Unauthorized   message   Failed to decode basic authentication token   path    api token     Edit  To avoid misunderstandings  I use 1 3 3 Spring Boot  The Blog post writes      CORS support will be available in the upcoming Spring Boot 1 3 release  and is already available in the 1 3 0 BUILD-SNAPSHOT builds       Using controller method CORS configuration with  CrossOrigin annotations in your Spring Boot application does not require any specific configuration       Global CORS configuration can be defined by registering a WebMvcConfigurer bean with a customized addCorsMappings CorsRegistry  method    I have added following code to enable global cors support  actually I have tried this before but it the result was the same  I tried it again recently and the result is the same    Configuration public class MyConfiguration         Bean     public WebMvcConfigurer corsConfigurer             return new WebMvcConfigurerAdapter                  Override             public void addCorsMappings CorsRegistry registry                    registry addMapping                                            The idea  that the problem comes from a redirect between the authorization process is an interesting though  how can i change the redirect to any resources to avoid this conflict   EDIT   I guess I am closer to a solution  I have tested with my nodejs server that supports cors without problems by adding  Access-Control-Allow-Origin    to all requests   Like Stefan Isele has already mentioned it seems that spring security redirects or doesn t add the CORS header so that s why the request seems to be broken  So while spring security is checking the authentification it has to add the proper header   Does anyone know how to do so   EDIT   I found a workaround  that seems to be ugly  I have started a github issue for spring boot where I describe the workaround  https   github com spring-projects spring-boot issues 5834

User · Answer

Cross origin protection is a feature of the browser. Curl does not care for CORS, as you presumed. That explains why your curls are successful, while the browser requests are not.

If you send the browser request with the wrong credentials, spring will try to forward the client to a login page. This response (off the login page) does not contain the header 'Access-Control-Allow-Origin' and the browser reacts as you describe.

You must make spring to include the haeder for this login response, and may be for other response, like error pages etc.

This can be done like this :

    @Configuration
    @EnableWebMvc
    public class WebConfig extends WebMvcConfigurerAdapter {

            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/api/**")
                    .allowedOrigins("http://domain2.com")
                    .allowedMethods("PUT", "DELETE")
                    .allowedHeaders("header1", "header2", "header3")
                    .exposedHeaders("header1", "header2")
                    .allowCredentials(false).maxAge(3600);
            }
     }

This is copied from cors-support-in-spring-framework

I would start by adding cors mapping for all resources with :

registry.addMapping("/**")

and also allowing all methods headers.. Once it works you may start to reduce that again to the needed minimum.

Please note, that the CORS configuration changes with Release 4.2.

If this does not solve your issues, post the response you get from the failed ajax request.

User · Answer

For properties configuration     ENDPOINTS CORS CONFIGURATION  EndpointCorsProperties  endpoints cors allow-credentials    Set whether credentials are supported  When not set  credentials are not supported  endpoints cors allowed-headers    Comma-separated list of headers to allow in a request      allows all headers  endpoints cors allowed-methods GET   Comma-separated list of methods to allow      allows all methods  endpoints cors allowed-origins    Comma-separated list of origins to allow      allows all origins  When not set  CORS support is disabled  endpoints cors exposed-headers    Comma-separated list of headers to include in a response  endpoints cors max-age 1800   How long  in seconds  the response from a pre-flight request can be cached by clients

User · Answer

I had the same problem on a methood that returns the status of the server  The application is deployed on multiple servers  So the easiest I found is to add   CrossOrigin origins         RequestMapping value   schedulerActive   public String isSchedulerActive        code goes here     This method is not secure but you can add allowCredentials for that

User · Answer

Cors can be a pain in the ass  but with this simple code you are Cors ONLY     to to specified method   CrossOrigin origins        in this line add your url and thats is all for spring boot side      GetMapping   some       public String index             return  pawned cors               Like a charm in spring boot 2 0 2

User · Answer

I solved this problem by      Bean CorsConfigurationSource corsConfigurationSource         CorsConfiguration configuration   new CorsConfiguration        configuration setAllowedOrigins Arrays asList            configuration setAllowCredentials true       configuration setAllowedHeaders Arrays asList  Access-Control-Allow-Headers   Access-Control-Allow-Origin   Access-Control-Request-Method    Access-Control-Request-Headers   Origin   Cache-Control    Content-Type    Authorization         configuration setAllowedMethods Arrays asList  DELETE    GET    POST    PATCH    PUT         UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource        source registerCorsConfiguration        configuration       return source

User · Answer

Found an easy solution for Spring-Boot  Spring-Security and Java-based config    Configuration  EnableWebSecurity  EnableGlobalMethodSecurity prePostEnabled   true  public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity httpSecurity  throws Exception           httpSecurity cors   configurationSource new CorsConfigurationSource                  Override             public CorsConfiguration getCorsConfiguration HttpServletRequest request                    return new CorsConfiguration   applyPermitDefaultValues

User · Answer

I solved this problem by    import javax servlet FilterChain  import javax servlet ServletException  import javax servlet http HttpServletRequest  import javax servlet http HttpServletResponse   import org springframework context annotation Configuration  import org springframework web cors CorsConfigurationSource  import org springframework web filter CorsFilter        Configuration     public class CORSFilter extends CorsFilter            public CORSFilter CorsConfigurationSource source                super  CorsConfigurationSource  source                       Override         protected void doFilterInternal HttpServletRequest request  HttpServletResponse response  FilterChain filterChain                  throws ServletException  IOException                response addHeader  Access-Control-Allow-Headers                        Access-Control-Allow-Origin  Origin  Accept  X-Requested-With  Content-Type  Access-Control-Request-Method  Access-Control-Request-Headers                if  response getHeader  Access-Control-Allow-Origin      null                  response addHeader  Access-Control-Allow-Origin                     filterChain doFilter request  response                      and    import org springframework context annotation Bean  import org springframework context annotation Configuration  import org springframework http HttpMethod  import org springframework web cors CorsConfiguration  import org springframework web cors CorsConfigurationSource  import org springframework web cors UrlBasedCorsConfigurationSource        Configuration     public class RestConfig             Bean         public CORSFilter corsFilter                 CorsConfigurationSource source   new UrlBasedCorsConfigurationSource                CorsConfiguration config   new CorsConfiguration                config addAllowedOrigin  http   localhost 4200                config addAllowedMethod HttpMethod DELETE               config addAllowedMethod HttpMethod GET               config addAllowedMethod HttpMethod OPTIONS               config addAllowedMethod HttpMethod PUT               config addAllowedMethod HttpMethod POST                 UrlBasedCorsConfigurationSource  source  registerCorsConfiguration        config               return new CORSFilter source

User · Answer

If you use JDK 8   there is a one line lambda solution    EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter     Override protected void configure HttpSecurity http  throws Exception       http cors   configurationSource request - gt  new CorsConfiguration   applyPermitDefaultValues

User · Answer

I was having major problems with Axios  Spring Boot and Spring Security with authentication     Please note the version of Spring Boot and the Spring Security you are using matters   Spring Boot  1 5 10 Spring  4 3 14 Spring Security 4 2 4  To resolve this issue using Annotation Based Java Configuration I created the following class    Configuration  EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Autowired     public void configureGlobal AuthenticationManagerBuilder auth  throws Exception            auth inMemoryAuthentication                    withUser  youruser   password  yourpassword                    authorities  ROLE USER                Override     protected void configure HttpSecurity http  throws Exception            http cors   and                    authorizeRequests                    requestMatchers CorsUtils   isPreFlightRequest  permitAll                    anyRequest                    authenticated                    and                    httpBasic                    realmName  Biometrix             http csrf   disable                 Bean     CorsConfigurationSource corsConfigurationSource             CorsConfiguration configuration   new CorsConfiguration            configuration setAllowCredentials true           configuration setAllowedHeaders Arrays asList  Authorization             configuration setAllowedOrigins Arrays asList                configuration setAllowedMethods Arrays asList                UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource            source registerCorsConfiguration        configuration           return source            One of the major gotchas with Axios is that when your API requires authentication it sends an Authorization header with the OPTIONS request   If you do not include Authorization in the allowed headers configuration setting our OPTIONS request  aka PreFlight request  will fail and Axios will report an error   As you can see with a couple of simple and properly placed settings CORS configuration with SpringBoot is pretty easy

User · Answer

https   docs spring io spring-boot docs 2 4 2 reference htmlsingle  boot-features-cors  Configuration public class MyConfiguration         Bean     public WebMvcConfigurer corsConfigurer             return new WebMvcConfigurer                  Override             public void addCorsMappings final CorsRegistry registry                    registry addMapping  quot     quot   allowedMethods  quot   quot   allowedHeaders  quot   quot                                      If using Spring Security  set additional     https   docs spring io spring-security site docs 5 4 2 reference html5  cors  EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure final HttpSecurity http  throws Exception                              if Spring MVC is on classpath and no CorsConfigurationSource is provided             Spring Security will use CORS configuration provided to Spring MVC         http cors Customizer withDefaults

User · Answer

Bean     public WebMvcConfigurer corsConfigurer             return new WebMvcConfigurer                  Override             public void addCorsMappings CorsRegistry registry                    registry addMapping  quot     quot   allowedOrigins  quot   quot   allowedMethods  quot   quot

User · Answer

Spring Security can now leverage Spring MVC CORS support described in this blog post I wrote   To make it work  you need to explicitly enable CORS support at Spring Security level as following  otherwise CORS enabled requests may be blocked by Spring Security before reaching Spring MVC   If you are using controller level  CrossOrigin annotations  you just have to enable Spring Security CORS support and it will leverage Spring MVC configuration     EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception           http cors   and                If you prefer using CORS global configuration  you can declare a CorsConfigurationSource bean as following    EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception           http cors   and                  Bean     CorsConfigurationSource corsConfigurationSource             UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource            source registerCorsConfiguration        new CorsConfiguration   applyPermitDefaultValues             return source            This approach supersedes the filter-based approach previously recommended   You can find more details in the dedicated CORS section of Spring Security documentation

User · Answer

Kotlin solution      http cors   configurationSource     CorsConfiguration   applyPermitDefaultValues

User · Answer

You can finish this with only a Single Class  Just add this on your class path    This one is enough for Spring Boot  Spring Security  nothing else               Component          Order Ordered HIGHEST PRECEDENCE          public class MyCorsFilterConfig implements Filter                 Override             public void doFilter ServletRequest req  ServletResponse res  FilterChain chain  throws IOException  ServletException                   final HttpServletResponse response    HttpServletResponse  res                  response setHeader  Access-Control-Allow-Origin                         response setHeader  Access-Control-Allow-Methods    POST  PUT  GET  OPTIONS  DELETE                    response setHeader  Access-Control-Allow-Headers    Authorization  Content-Type  enctype                    response setHeader  Access-Control-Max-Age    3600                    if  HttpMethod OPTIONS name   equalsIgnoreCase   HttpServletRequest  req  getMethod                           response setStatus HttpServletResponse SC OK                     else                       chain doFilter req  res                                                 Override             public void destroy                                 Override             public void init FilterConfig config  throws ServletException

User · Answer

Solution for Webflux  Reactive  Spring Boot  since Google shows this as one of the top results when searching with  Reactive  for this same problem  Using Spring boot version 2 2 2   Bean public SecurityWebFilterChain securityWebFilterChain ServerHttpSecurity http      return http cors   and   build        Bean public CorsWebFilter corsFilter       CorsConfiguration config   new CorsConfiguration       config applyPermitDefaultValues       config addAllowedHeader  Authorization       UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource      source registerCorsConfiguration        config      return new CorsWebFilter source       For a full example  with the setup that works with a custom authentication manager  in my case JWT authentication   See here https   gist github com FiredLight d973968cbd837048987ab2385ba6b38f

User · Answer

If you are using Spring Security  you can do the following to ensure that CORS requests are handled first    EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception           http                by default uses a Bean by the name of corsConfigurationSource              cors   and                               Bean     CorsConfigurationSource corsConfigurationSource             CorsConfiguration configuration   new CorsConfiguration            configuration setAllowedOrigins Arrays asList  https   example com             configuration setAllowedMethods Arrays asList  GET   POST             UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource            source registerCorsConfiguration        configuration           return source            See Spring 4 2 x CORS for more information   Without Spring Security this will work    Bean public WebMvcConfigurer corsConfigurer         return new WebMvcConfigurer              Override         public void addCorsMappings CorsRegistry registry                registry addMapping                             allowedOrigins                           allowedMethods  GET    PUT    POST    PATCH    DELETE    OPTIONS

User · Answer

After much searching for the error coming from javascript CORS  the only elegant solution I found for this case was configuring the cors of Spring s own class org springframework web cors CorsConfiguration CorsConfiguration     Configuration  EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception           http cors   configurationSource request - gt  new CorsConfiguration   applyPermitDefaultValues

[javascript] How to configure CORS in a Spring Boot + Spring Security application?

Examples related to javascript

Examples related to spring

Examples related to spring-security

Examples related to spring-boot

Examples related to cors