I'm trying to configure CORS on my Spring boot application. I added the CrossOrigin annotation to my controller class.
@CrossOrigin
@RestController
@RequestMapping("api/user")
public class UserApiController {
...
}
When I run this on my local machine I get these response headers for a OPTIONS request:
Access-Control-Allow-Credentials →true
Access-Control-Allow-Methods →GET
Access-Control-Allow-Origin →http://www.test.be
Access-Control-Max-Age →1800
Allow →GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Content-Length →0
Date →Wed, 28 Mar 2018 09:13:33 GMT
Expires →0
Pragma →no-cache
Vary →Origin
X-Content-Type-Options →nosniff
X-Frame-Options →DENY
X-XSS-Protection →1; mode=block
I deployed this application on a Tomcat server, behind an Apache2 server running on Linux. When I do the same request there, I get this:
Allow →GET,HEAD
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Connection →Keep-Alive
Date →Wed, 28 Mar 2018 09:42:42 GMT
Expires →0
Keep-Alive →timeout=5, max=100
Pragma →no-cache
Server →Apache/2.4.18 (Ubuntu)
Transfer-Encoding →chunked
X-Content-Type-Options →nosniff
X-Frame-Options →DENY
X-XSS-Protection →1; mode=block
This is how I configured Apache2 to proxy Tomcat
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#
ProxyRequests Off
ProxyPreserveHost On
#
#
ProxyPass /app http://localhost:8080/my_app
ProxyPassReverse /app http://localhost:8080/my_app
Both requests returned a 200 OK status code, but on the server version I don't get the Access-Control-Allow headers. And I see only GET,HEAD in the Allow header. Why doesn't Apache2 allow OPTIONS? How do I fix this?
