Spring CORS No Access-Control-Allow-Origin header is present

Question

I am getting the following problem after porting web xml to java config  No  Access-Control-Allow-Origin  header is present on the requested resource  Origin  http   localhost 63342  is therefore not allowed access    Based on a few Spring references  the following attempt has been tried    Configuration  ComponentScan basePackageClasses   AppConfig class  useDefaultFilters   false  includeFilters              Filter org springframework stereotype Controller class      EnableWebMvc public class WebConfig extends WebMvcConfigurerAdapter         Override     public void addCorsMappings CorsRegistry registry            registry addMapping       allowedOrigins      allowedMethods  GET    POST    OPTIONS    PUT                    allowedHeaders  Content-Type    X-Requested-With    accept    Origin    Access-Control-Request-Method                            Access-Control-Request-Headers                    exposedHeaders  Access-Control-Allow-Origin    Access-Control-Allow-Credentials                    allowCredentials true  maxAge 3600              The values chosen were taken from a working web xml filter    lt filter gt       lt filter-name gt CorsFilter lt  filter-name gt   lt filter-class gt org apache catalina filters CorsFilter lt  filter-class gt   lt init-param gt       lt param-name gt cors allowed origins lt  param-name gt       lt param-value gt   lt  param-value gt   lt  init-param gt   lt init-param gt       lt param-name gt cors allowed methods lt  param-name gt       lt param-value gt GET POST HEAD OPTIONS PUT lt  param-value gt   lt  init-param gt   lt init-param gt       lt param-name gt cors allowed headers lt  param-name gt       lt param-value gt Content-Type X-Requested-With accept Origin Access-Control-Request-Method Access-Control-Request-Headers lt  param-value gt   lt  init-param gt   lt init-param gt       lt param-name gt cors exposed headers lt  param-name gt       lt param-value gt Access-Control-Allow-Origin Access-Control-Allow-Credentials lt  param-value gt   lt  init-param gt   lt init-param gt       lt param-name gt cors support credentials lt  param-name gt       lt param-value gt true lt  param-value gt   lt  init-param gt   lt init-param gt       lt param-name gt cors preflight maxage lt  param-name gt       lt param-value gt 10 lt  param-value gt   lt  init-param gt   lt  filter gt   lt filter-mapping gt    lt filter-name gt CorsFilter lt  filter-name gt   lt url-pattern gt    lt  url-pattern gt   lt  filter-mapping gt    Any ideas why the Spring java config approach is not working like the web xml file did

User · Accepted Answer

Change the CorsMapping from registry addMapping       to registry addMapping        in addCorsMappings method   Check out this Spring CORS Documentation    From the documentation -   Enabling CORS for the whole application is as simple as    Configuration  EnableWebMvc public class WebConfig extends WebMvcConfigurerAdapter         Override     public void addCorsMappings CorsRegistry registry            registry addMapping                   You can easily change any properties  as well as only apply this CORS configuration to a specific path pattern    Configuration  EnableWebMvc public class WebConfig extends WebMvcConfigurerAdapter        Override     public void addCorsMappings CorsRegistry registry            registry addMapping   api                   allowedOrigins  http   domain2 com                allowedMethods  PUT    DELETE                allowedHeaders  header1    header2    header3                exposedHeaders  header1    header2                allowCredentials false  maxAge 3600             Controller method CORS configuration   RestController  RequestMapping   account   public class AccountController      CrossOrigin    RequestMapping    id      public Account retrieve  PathVariable Long id                       To enable CORS for the whole controller -   CrossOrigin origins    http   domain2 com   maxAge   3600   RestController  RequestMapping   account   public class AccountController         RequestMapping    id        public Account retrieve  PathVariable Long id                               RequestMapping method   RequestMethod DELETE  path      id        public void remove  PathVariable Long id                             You can even use both controller-level and method-level CORS configurations  Spring will then combine attributes from both annotations to create merged CORS configuration    CrossOrigin maxAge   3600   RestController  RequestMapping   account   public class AccountController         CrossOrigin  http   domain2 com        RequestMapping    id        public Account retrieve  PathVariable Long id                               RequestMapping method   RequestMethod DELETE  path      id        public void remove  PathVariable Long id

User · Answer

Following on Omar s answer  I created a new class file in my REST API project called WebConfig java with this configuration    Configuration  EnableWebMvc public class WebConfig extends WebMvcConfigurerAdapter       Override   public void addCorsMappings CorsRegistry registry        registry addMapping        allowedOrigins                This allows any origin to access the API and applies it to all controllers in the Spring project

User · Answer

I also had messages like No  Access-Control-Allow-Origin  header is present on the requested resource  Origin  http   localhost 63342  is therefore not allowed access   I had configured cors properly  but what was missing in webflux in RouterFuncion was accept and contenttype headers APPLICATION JSON like in this piece of code    Bean RouterFunction lt ServerResponse gt  routes         return route POST   create                                  and accept APPLICATION JSON                                  and contentType APPLICATION JSON    serverRequest - gt  create serverRequest

User · Answer

Omkar s answer is quite comprehensive   But some part of the Global config part has changed   According to the spring boot 2 0 2 RELEASE reference     As of version 4 2  Spring MVC supports CORS  Using controller method   CORS configuration with  CrossOrigin annotations in your Spring Boot   application does not require any specific configuration  Global CORS   configuration can be defined by registering a WebMvcConfigurer bean   with a customized addCorsMappings CorsRegistry  method  as shown in   the following example     Configuration public class MyConfiguration         Bean     public WebMvcConfigurer corsConfigurer             return new WebMvcConfigurer                  Override             public void addCorsMappings CorsRegistry registry                    registry addMapping   api                                          Most answer in this post using WebMvcConfigurerAdapter  however  The type WebMvcConfigurerAdapter is deprecated     Since Spring 5 you just need to implement the interface   WebMvcConfigurer   public class MvcConfig implements WebMvcConfigurer         This is because Java 8 introduced default methods on interfaces which   cover the functionality of the WebMvcConfigurerAdapter class

User · Answer

If you are using Spring Security ver    4 2 you can use Spring Security s native support instead of including Apache s    Configuration  EnableWebMvc public class WebConfig extends WebMvcConfigurerAdapter         Override     public void addCorsMappings CorsRegistry registry            registry addMapping                   The example above was copied from a Spring blog post in which you also can find information about how to configure CORS on a controller  specific controller methods  etc  Moreover  there is also XML configuration examples as well as Spring Boot integration

User · Answer

For some reason  if still somebody not able to bypass CORS  write the header which browser wants to access your request    Add this bean inside your configuration file    Bean public WebSecurityConfigurerAdapter webSecurity         return new WebSecurityConfigurerAdapter               Override         protected void configure HttpSecurity http  throws Exception               http headers   addHeaderWriter                      new StaticHeadersWriter  Access-Control-Allow-Origin                                 This way we can tell the browser we are allowing cross-origin from all origin  if you want to restrict from specific path then change the     to   http   localhost 3000         Helpfull reference to understand this behaviour https   www concretepage com spring-4 spring-4-rest-cors-integration-using-crossorigin-annotation-xml-filter-example

User · Answer

Helpful tip - if you re using Spring data rest you need a different approach    Component public class SpringDataRestCustomization extends RepositoryRestConfigurerAdapter      Override  public void configureRepositoryRestConfiguration RepositoryRestConfiguration config        config getCorsRegistry   addMapping                     allowedOrigins  http   localhost 9000

User · Answer

public class TrackingSystemApplication       public static void main String   args            SpringApplication run TrackingSystemApplication class  args               Bean     public WebMvcConfigurer corsConfigurer             return new WebMvcConfigurerAdapter                  Override             public void addCorsMappings CorsRegistry registry                    registry addMapping  quot     quot   allowedOrigins  quot http   localhost 4200 quot   allowedMethods  quot PUT quot    quot DELETE quot                            quot GET quot    quot POST quot

User · Answer

I have found the solution in spring boot by using  CrossOrigin annotation    RestController  CrossOrigin public class WebConfig extends WebMvcConfigurerAdapter         Override     public void addCorsMappings CorsRegistry registry            registry addMapping

User · Answer

as  Geoffrey pointed out  with spring security  you need a different approach as described here  Spring Boot Security CORS

User · Answer

We had the same issue and we resolved it using Spring s XML configuration as below    Add this in your context xml file   lt mvc cors gt       lt mvc mapping path               allowed-origins             allowed-headers  Content-Type  Access-Control-Allow-Origin  Access-Control-Allow-Headers  Authorization  X-Requested-With  requestId  Correlation-Id          allowed-methods  GET  PUT  POST  DELETE   gt   lt  mvc cors gt

[spring] Spring CORS No 'Access-Control-Allow-Origin' header is present

Examples related to spring

Examples related to spring-mvc

Examples related to cors