Spring Boot, Cors and Spring Security

Question

I am using Spring Boot version 2.0.8.RELEASE and the spring-boot-start-security module. I am trying to protect my swagger endpoints with basic authentication and so far everything is going good. However, requests from javascript in my code have started failing with the following error

Access to XMLHttpRequest at 'http://my-service.com.com/search/api/getQuery' from origin 'http://myui.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I have the following configuration class defined

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        //See https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-cors-global-java for configuring cors
        registry.addMapping("/**").allowedOrigins("*").allowedMethods("*").allowedHeaders("*");
    }

}

I have the @CrossOrigin annotation on my API Class. And I have the following class to configure my security

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http.cors()
             .and()
             .csrf().disable()
                .authorizeRequests()
                    .antMatchers("/v2").authenticated()
                    .antMatchers("/swagger-resources").authenticated()
                    .antMatchers("/swagger-ui.html").authenticated()                    
                    .and()
                    .httpBasic()
                    .and()
                    .authorizeRequests()    
                        .antMatchers("/**").permitAll()
                        .and();        

    }

    }

I tried creating a CorsConfiguration in the security class and removing the @CrossOrigin annotation but that didnt work either. Any idea what I need to do in order to get cors working correctly on Spring Boot 2.0.8.RELEASE?

Thanks Damien

Your frontend JavaScript code is triggering your browser to send a CORS preflight OPTIONS request, and the server’s responding with a 3xx redirect. It needs to respond with a 2xx success message instead. — sideshowbarker, Feb 23 '19 at 01:42
@sideshowbarker I dont think this question is a duplicate. I am following the docs as per the Spring site and I am getting this error. I dont want to hack a solution together as that would end up causing more bother down the road — Damien, Feb 23 '19 at 10:12
The error message cited in the question indicates the server you’re sending the request to is responding to the OPTIONS request with a 3xx redirect instead of a 2OO OK. That’s exactly the problem described in the question this was marked as a duplicating. For anybody else here to be able to help you, you’d need to update the question with, e.g., details about what URL the server is trying to redirect the request to. Basically what’s already described in the other question this duplicates. The question here as currently written doesn’t demonstrate awareness of that redirect being the problem. — sideshowbarker, Feb 23 '19 at 11:45
@sideshowbarker this question is specifically about spring boot setup and config. Your answer was for ASP.net. this is a relevant question to be open on its own — Damien, Feb 25 '19 at 09:46

score 0 · Accepted Answer · answered Feb 22 '19 at 20:07

In my experience the Spring Annotations never successfully resolve the CORS issue. The solution that I have preferred is routing both servers (in my case Node and Tomcat) through a virtual host.

In my Apache httpd-vhosts config file, I have the following setup.

    ProxyRequests Off
    ProxyPreserveHost Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location /FrontEndServer>
        ProxyPass        http://localhost:8080/FrontEndServer connectiontimeout=333 timeout=999
        ProxyPassReverse http://localhost:8080/FrontEndServer
    </Location>

    <Location />
        ProxyPass        http://localhost:3000/ connectiontimeout=333 timeout=999
        ProxyPassReverse http://localhost:3000/
    </Location>

In this setup, my two servers are running on different ports, but Apache is rerouting them so that they can share my localhost and be differentiated simply by "/" or "/FrontEndServer".

Obviously this is specific to Apache, and that may not be the setup you are using. You should however be able to use these principles to find a solution for your specific situation. Hope this helps.

Yes this would work but unfortunately I am deploying to Pivotal cloud foundry and we do not have this sort of setup available to us where we can config a web server as we want to keep deployments as simple as possible — Damien, Feb 22 '19 at 22:21

Spring Boot, Cors and Spring Security

1 Answers1