CORS with spring-boot and angularjs not working

Question

I am trying to call REST endpoints on one application  spring-boot application  from another  angularjs   The applications are running on the following hosts and ports    REST application  using spring boot  http   localhost 8080 HTML application  using angularjs  http   localhost 50029   I am also using spring-security with the spring-boot application  From the HTML application  I can authenticate to the REST application  but  thereafter  I still cannot access any REST endpoint  For example  I have an angularjs service defined as follows   adminServices factory  AdminService      resource     http    conf   function  resource   http  conf        var s           s isAdminLoggedIn   function data            return  http               method   GET               url   http   localhost 8080 api admin isloggedin               withCredentials  true              headers                     X-Requested-With    XMLHttpRequest                                       s login   function username  password            var u    username     encodeURI username           var p    password     encodeURI password           var r    remember me 1           var data   u     amp     p     amp     r           return  http               method   POST               url   http   localhost 8080 login               data  data              headers    Content-Type    application x-www-form-urlencoded                          return s         The angularjs controller looks like the following   adminControllers controller  LoginController      scope     http    AdminService   function  scope   http  AdminService         scope username            scope password             scope signIn   function             AdminService login  scope username   scope password               success function d s                    if d  success                          console log  ok authenticated  call another REST endpoint                        AdminService isAdminLoggedIn                            success function d s                                console log  i can access a protected REST endpoint after logging in                                                        error function d  s                                 console log  huh  error checking to see if admin is logged in                                 scope reset                                                  else                       console log  bad credentials                                                   error function d  s                    console log  huh  error happened                                   On the call to http   localhost 8080 api admin isloggedin  I get a 401 Unauthorized    On the REST application side  I have a CORS filter that looks like the following    Component  Order Ordered HIGHEST PRECEDENCE  public class CORSFilter implements Filter         Override     public void destroy             Override     public void doFilter ServletRequest req  ServletResponse res  FilterChain chain              throws IOException  ServletException           HttpServletResponse response    HttpServletResponse  res          HttpServletRequest request    HttpServletRequest  req           response setHeader  Access-Control-Allow-Origin    http   localhost 50029            response setHeader  Access-Control-Allow-Methods    POST  PUT  GET  OPTIONS  DELETE            response setHeader  Access-Control-Max-Age    3600            response setHeader  Access-Control-Allow-Headers    X-Requested-With  X-Auth-Token            response setHeader  Access-Control-Allow-Credentials    true             if   OPTIONS  equalsIgnoreCase request getMethod                   chain doFilter req  res                         Override     public void init FilterConfig config  throws ServletException         My spring security configuration looks like the following    Configuration  EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Autowired     private RestAuthenticationEntryPoint restAuthenticationEntryPoint        Autowired     private JsonAuthSuccessHandler jsonAuthSuccessHandler        Autowired     private JsonAuthFailureHandler jsonAuthFailureHandler        Autowired     private JsonLogoutSuccessHandler jsonLogoutSuccessHandler        Autowired     private AuthenticationProvider authenticationProvider        Autowired     private UserDetailsService userDetailsService        Autowired     private PersistentTokenRepository persistentTokenRepository        Value    rememberme key        private String rememberMeKey        Override     protected void configure HttpSecurity http  throws Exception           http              csrf   disable                exceptionHandling                authenticationEntryPoint restAuthenticationEntryPoint                   and                authorizeRequests                    antMatchers   api admin      hasRole  ADMIN                    antMatchers        admin     css        js        fonts        api      permitAll                    anyRequest   authenticated                    and                formLogin                    successHandler jsonAuthSuccessHandler                   failureHandler jsonAuthFailureHandler                   permitAll                    and                logout                    deleteCookies  remember-me    JSESSIONID                    logoutSuccessHandler jsonLogoutSuccessHandler                   permitAll                    and                rememberMe                    userDetailsService userDetailsService                   tokenRepository persistentTokenRepository                   rememberMeCookieName  REMEMBER ME                    rememberMeParameter  remember me                    tokenValiditySeconds 1209600                   useSecureCookie false                   key rememberMeKey               Autowired     public void configureGlobal AuthenticationManagerBuilder auth  throws Exception           auth              authenticationProvider authenticationProvider             All the handlers are doing is writing out a JSON response like  success  true  based on if the user logged in  failed to authenticate  or logged out  The RestAuthenticationEntryPoint looks like the following    Component public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint         Override     public void commence HttpServletRequest req  HttpServletResponse resp  AuthenticationException ex              throws IOException  ServletException           resp sendError HttpServletResponse SC UNAUTHORIZED   Unauthorized               Any ideas on what I am missing or doing wrong

User · Answer

In our Spring Boot app  we have set up CorsConfigurationSource like this    Sequence of adding allowedOrigns first and then setting applyPermitDefaultValues   let Spring set up default values for allowed headers  exposed headers  allowed methods  etc  so we don t have to specify those       public CorsConfigurationSource corsConfigurationSource             CorsConfiguration configuration   new CorsConfiguration            configuration setAllowedOrigins Arrays asList  http   localhost 8084             configuration applyPermitDefaultValues             UrlBasedCorsConfigurationSource configurationSource   new UrlBasedCorsConfigurationSource            configurationSource registerCorsConfiguration        configuration           return configurationSource               Override     protected void configure HttpSecurity http  throws Exception            http authorizeRequests                    antMatchers   api                       access   authProvider validateApiKey request                     anyRequest   authenticated                    and   cors                    and   csrf   disable                    httpBasic   authenticationEntryPoint authenticationEntryPoint            http sessionManagement   sessionCreationPolicy SessionCreationPolicy STATELESS

User · Answer

Just Make a single class like  everything will be fine with this             Component          Order Ordered HIGHEST PRECEDENCE          public class MyCorsConfig implements Filter                 Override             public void doFilter ServletRequest req  ServletResponse res  FilterChain chain  throws IOException  ServletException                   final HttpServletResponse response    HttpServletResponse  res                  response setHeader  Access-Control-Allow-Origin                         response setHeader  Access-Control-Allow-Methods    POST  PUT  GET  OPTIONS  DELETE                    response setHeader  Access-Control-Allow-Headers    Authorization  Content-Type  enctype                    response setHeader  Access-Control-Max-Age    3600                    if  HttpMethod OPTIONS name   equalsIgnoreCase   HttpServletRequest  req  getMethod                           response setStatus HttpServletResponse SC OK                     else                       chain doFilter req  res                                                 Override             public void destroy                                 Override             public void init FilterConfig config  throws ServletException

User · Answer

import java io IOException  import javax servlet Filter  import javax servlet FilterChain  import javax servlet FilterConfig  import javax servlet ServletException  import javax servlet ServletRequest  import javax servlet ServletResponse  import javax servlet http HttpServletRequest  import javax servlet http HttpServletResponse  import org slf4j Logger  import org slf4j LoggerFactory  import org springframework stereotype Component    Component public class SimpleCORSFilter implements Filter    private final Logger log   LoggerFactory getLogger SimpleCORSFilter class    public SimpleCORSFilter         log info  SimpleCORSFilter init        Override public void doFilter ServletRequest req  ServletResponse res  FilterChain chain  throws IOException  ServletException        HttpServletRequest request    HttpServletRequest  req      HttpServletResponse response    HttpServletResponse  res       response setHeader  Access-Control-Allow-Origin   request getHeader  Origin         response setHeader  Access-Control-Allow-Credentials    true        response setHeader  Access-Control-Allow-Methods    POST  GET  OPTIONS  DELETE        response setHeader  Access-Control-Max-Age    3600        response setHeader  Access-Control-Allow-Headers    Content-Type  Accept  X-Requested-With  remember-me         chain doFilter req  res       Override public void init FilterConfig filterConfig        Override public void destroy            No need extra define this filter just add this class  Spring will be scan and add it for you  SimpleCORSFilter  Here is the example  spring-enable-cors

User · Answer

For me the only thing that worked 100  when spring security is used was to skip all the additional fluff of extra filters and beans and whatever indirect  magic  people kept suggesting that worked for them but not for me    Instead just force it to write the headers you need with a plain StaticHeadersWriter    Configuration  EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception            http                your security config here              authorizeRequests                antMatchers HttpMethod TRACE         denyAll                antMatchers   admin      authenticated                anyRequest   permitAll                and   httpBasic                and   headers   frameOptions   disable                and   csrf   disable                headers                  the headers you want here  This solved all my CORS problems                addHeaderWriter new StaticHeadersWriter  Access-Control-Allow-Origin                      addHeaderWriter new StaticHeadersWriter  Access-Control-Allow-Methods    POST  GET                 addHeaderWriter new StaticHeadersWriter  Access-Control-Max-Age    3600                 addHeaderWriter new StaticHeadersWriter  Access-Control-Allow-Credentials    true                 addHeaderWriter new StaticHeadersWriter  Access-Control-Allow-Headers    Origin Accept X-Requested-With Content-Type Access-Control-Request-Method Access-Control-Request-Headers Authorization               This is the most direct and explicit way I found to do it  Hope it helps someone

User · Answer

If originally your program doesn t use spring security and can t afford for a code change  creating a simple reverse proxy can do the trick  In my case  I used Nginx with the following configuration   http     server       listen 9090      location           if   request method    OPTIONS           add header  Access-Control-Allow-Origin             add header  Access-Control-Allow-Methods   GET  POST  OPTIONS                   Custom headers and headers various browsers  should  be OK with but aren t               add header  Access-Control-Allow-Headers   DNT User-Agent X-Requested-With If-Modified-Since Cache-Control Content-Type Range                   Tell client that this pre-flight info is valid for 20 days               add header  Access-Control-Max-Age  1728000        add header  Content-Type   text plain  charset utf-8         add header  Content-Length  0        return 204                if   request method    POST           add header  Access-Control-Allow-Origin             add header  Access-Control-Allow-Methods   GET  POST  OPTIONS         add header  Access-Control-Allow-Headers   DNT User-Agent X-Requested-With If-Modified-Since Cache-Control Content-Type Range         add header  Access-Control-Expose-Headers   Content-Length Content-Range                 if   request method    GET           add header  Access-Control-Allow-Origin             add header  Access-Control-Allow-Methods   GET  POST  OPTIONS         add header  Access-Control-Allow-Headers   DNT User-Agent X-Requested-With If-Modified-Since Cache-Control Content-Type Range         add header  Access-Control-Expose-Headers   Content-Length Content-Range                  proxy pass http   localhost 8080                My program listens to  8080   REF  CORS on Nginx

User · Answer

check this one    Override protected void configure HttpSecurity httpSecurity  throws Exception                        antMatchers HttpMethod OPTIONS         permitAll

User · Answer

This answer copies the  abosancic answer but adds extra safety to avoid CORS exploit   Tip 1  Do not reflect the incoming Origin as is without checking the list of allowed hosts to access   Tip 2  Allow credentialed request only for whitelisted hosts   import java io IOException  import java util ArrayList  import java util List  import javax servlet Filter  import javax servlet FilterChain  import javax servlet FilterConfig  import javax servlet ServletException  import javax servlet ServletRequest  import javax servlet ServletResponse  import javax servlet http HttpServletRequest  import javax servlet http HttpServletResponse  import org slf4j Logger  import org slf4j LoggerFactory  import org springframework stereotype Component    Component public class SimpleCORSFilter implements Filter        private final Logger log   LoggerFactory getLogger SimpleCORSFilter class        private List lt String gt  allowedOrigins       public SimpleCORSFilter             log info  SimpleCORSFilter init            allowedOrigins   new ArrayList lt  gt             allowedOrigins add  https   mysafeorigin com            allowedOrigins add  https   itrustthissite com                Override     public void doFilter ServletRequest req  ServletResponse res  FilterChain chain  throws IOException  ServletException            HttpServletRequest request    HttpServletRequest  req          HttpServletResponse response    HttpServletResponse  res           String allowedOrigin   getOriginToAllow request getHeader  Origin              if allowedOrigin    null                response setHeader  Access-Control-Allow-Origin   allowedOrigin               response setHeader  Access-Control-Allow-Credentials    true                       response setHeader  Access-Control-Allow-Methods    POST  GET  OPTIONS  DELETE            response setHeader  Access-Control-Max-Age    3600            response setHeader  Access-Control-Allow-Headers    Content-Type  Accept  X-Requested-With  remember-me             chain doFilter req  res               Override     public void init FilterConfig filterConfig                Override     public void destroy                public String getOriginToAllow String incomingOrigin            if allowedOrigins contains incomingOrigin toLowerCase                   return incomingOrigin            else               return null

User · Answer

I had been into the similar situation  After doing research and testing  here is my findings     With Spring Boot  the recommended way to enable global CORS is to declare within Spring MVC and combined with fine-grained  CrossOrigin configuration as    Configuration public class CorsConfig         Bean     public WebMvcConfigurer corsConfigurer             return new WebMvcConfigurerAdapter                  Override             public void addCorsMappings CorsRegistry registry                    registry addMapping        allowedMethods  GET    POST    PUT    DELETE   allowedOrigins                               allowedHeaders                                         Now  since you are using Spring Security  you have to enable CORS at Spring Security level as well to allow it to leverage the configuration defined at Spring MVC level as    EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception           http cors   and                Here is very excellent tutorial explaining CORS support in Spring MVC framework

User · Answer

This is what has worked for me in order to disable CORS between Spring boot and React  Configuration public class CorsConfig implements WebMvcConfigurer                   Overriding the CORS configuration to exposed required header for ussd to work                param registry CorsRegistry               Override     public void addCorsMappings CorsRegistry registry            registry addMapping  quot     quot                    allowedOrigins  quot   quot                    allowedMethods  quot   quot                    allowedHeaders  quot   quot                    allowCredentials true                   maxAge 4800            I had to modify the Security configuration also like below           Override         protected void configure HttpSecurity http  throws Exception               http csrf   disable                        cors   configurationSource new CorsConfigurationSource                       Override                 public CorsConfiguration getCorsConfiguration HttpServletRequest request                        CorsConfiguration config   new CorsConfiguration                        config setAllowedHeaders Collections singletonList  quot   quot                         config setAllowedMethods Collections singletonList  quot   quot                         config addAllowedOrigin  quot   quot                        config setAllowCredentials true                       return config                                   and                        antMatcher  quot  api    quot                        authorizeRequests                        anyRequest   authenticated                        and   httpBasic                        and   sessionManagement   sessionCreationPolicy SessionCreationPolicy STATELESS                       and   exceptionHandling   accessDeniedHandler apiAccessDeniedHandler

User · Answer

This is what worked for me    EnableWebSecurity public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter         Override     protected void configure HttpSecurity http  throws Exception            http cors               Configuration public class WebConfiguration implements WebMvcConfigurer         Override     public void addCorsMappings CorsRegistry registry            registry              addMapping                     allowedMethods                   allowedHeaders                   allowedOrigins                   allowCredentials true

User · Answer

Im using spring boot 2 1 0 and what worked for me was to  A  Add cors mappings by    Configuration public class Config implements WebMvcConfigurer        Override     public void addCorsMappings CorsRegistry registry            registry addMapping        allowedOrigins                 B  Add below configuration to my HttpSecurity for spring security   cors   configurationSource new CorsConfigurationSource           Override     public CorsConfiguration getCorsConfiguration HttpServletRequest request            CorsConfiguration config   new CorsConfiguration            config setAllowedHeaders Collections singletonList                config setAllowedMethods Collections singletonList                config addAllowedOrigin               config setAllowCredentials true           return config             Also in case of a Zuul proxy you can use this INSTEAD OF A and B  just use HttpSecurity cors   to enable it in Spring security     Bean public CorsFilter corsFilter         final UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource        final CorsConfiguration config   new CorsConfiguration        config setAllowCredentials true       config addAllowedOrigin           config addAllowedHeader           config addAllowedMethod  OPTIONS        config addAllowedMethod  HEAD        config addAllowedMethod  GET        config addAllowedMethod  PUT        config addAllowedMethod  POST        config addAllowedMethod  DELETE        config addAllowedMethod  PATCH        source registerCorsConfiguration        config       return new CorsFilter source

User · Answer

To build on other answers above  in case you have a Spring boot REST service application  not Spring MVC  with Spring security  then enabling CORS via Spring security is enough  if you use Spring MVC then using a WebMvcConfigurer bean as mentioned by Yogen could be the way to go as Spring security will delegate to the CORS definition mentioned therein   So you need to have a security config that does the following    Configuration  EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter     Override protected void configure HttpSecurity http  throws Exception         other http security config     http cors   configurationSource corsConfigurationSource          This can be customized as required CorsConfigurationSource corsConfigurationSource         CorsConfiguration configuration   new CorsConfiguration        List lt String gt  allowOrigins   Arrays asList           configuration setAllowedOrigins allowOrigins       configuration setAllowedMethods singletonList            configuration setAllowedHeaders singletonList              in case authentication is enabled this flag MUST be set  otherwise CORS requests will fail     configuration setAllowCredentials true       UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource        source registerCorsConfiguration        configuration       return source         This link has more information on the same  https   docs spring io spring-security site docs current reference htmlsingle  cors   Note     Enabling CORS for all origins     for a prod deployed application may not always be a good idea  CSRF can be enabled via the Spring HttpSecurity customization without any issues In case you have authentication enabled in the app with Spring  via a UserDetailsService for example  then the configuration setAllowCredentials true   must be added   Tested for Spring boot 2 0 0 RELEASE  i e   Spring  5 0 4 RELEASE and Spring security 5 0 3 RELEASE

User · Answer

Step 1  By annotating the controller with  CrossOrigin annotation will allow the CORS configurations    CrossOrigin  RestController public class SampleController                  Step 2  Spring already has a CorsFilter even though You can just register your own CorsFilter as a bean to provide your own configuration as follows    Bean public CorsFilter corsFilter         final UrlBasedCorsConfigurationSource source   new UrlBasedCorsConfigurationSource        final CorsConfiguration config   new CorsConfiguration        config setAllowedOrigins Collections singletonList  http   localhost 3000        Provide list of origins if you want multiple origins     config setAllowedHeaders Arrays asList  Origin    Content-Type    Accept         config setAllowedMethods Arrays asList  GET    POST    PUT    OPTIONS    DELETE    PATCH         config setAllowCredentials true       source registerCorsConfiguration        config       return new CorsFilter source

User · Answer

Extending WebSecurityConfigurerAdapter class and overriding configure   method in your  EnableWebSecurity class would work   Below is sample class   Override protected void configure final HttpSecurity http  throws Exception             http          csrf   disable            exceptionHandling             http headers   cacheControl              Override         public CorsConfiguration getCorsConfiguration final HttpServletRequest request                return new CorsConfiguration   applyPermitDefaultValues

User · Answer

If you want to enable CORS without using filters or without config file just add    CrossOrigin   to the top of your controller and it work

User · Answer

This works for me    Configuration public class MyConfig extends WebSecurityConfigurerAdapter                 Override    protected void configure HttpSecurity http  throws Exception                                  http cors   configurationSource new CorsConfigurationSource               Override         public CorsConfiguration getCorsConfiguration HttpServletRequest request                CorsConfiguration config   new CorsConfiguration                config setAllowedHeaders Collections singletonList                    config setAllowedMethods Collections singletonList                    config addAllowedOrigin                   config setAllowCredentials true               return config

[angularjs] CORS with spring-boot and angularjs not working

Examples related to angularjs

Examples related to rest

Examples related to spring-mvc

Examples related to spring-boot

Examples related to cors