0

I have deoplyed a simple CRUD Springboot backend on Heroku.

  • If I deploy front end to my local envorinment, rest calls are fine.
  • If I run curl from my local or Heroku frontend bash, rest calls are fine.
  • If I use apitester.com to make rest call to the backend, rest calls are fine, including OPTION
  • If I deploy front end to Heroku, rest calls give me status=403 error.. Is there anything special that needs to be done when deploying Angular app on Heroku in order to make rest call to another Heroku server?

I have tried to disabled csrf as suggested in the accepted answer from How to Solve 403 Error in Spring Boot Post Request. @CrossOrigin are also added to all rest controllers

Any help is much appreciated

Kun Zou
  • 15
  • 1
  • 4
  • 1
    did you test it with postman ? – Joel Joseph Jan 02 '20 at 07:31
  • @JoelJoseph No but I tested it with apitester.com and curl (locally and Heroku frontend bash) and both worked. I just realized that if I run production from local I also get 403 on the backend. I think it has something to do with my prod configuration. Thanks for your help. – Kun Zou Jan 02 '20 at 15:56

1 Answers1

0

cross origin having issue register CrossFilter Bean and also register sites with Access-Control-Allow-Origin OR you can check the following link here 

@Configruation
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

public String crossOriginAllowedHeaders="header1,header2, *" ;
public String crossOriginAllowedSites="site1,site2, * ";

  @Override
    protected void configure(HttpSecurity http) throws Exception {
     )
      http.cors()
           .and()
           .csrf()
           .disable();

             ............
             ...........
        .and()
             .headers()
             .frameOptions()
             .sameOrigin().addHeaderWriter((request,response)->{
                                                 response.setHeader("Cache-Control","no-cache, no-store, max-age=0, must-revalidate, private");
                                                 response.setHeader("Pragma","no-cache");
                                                 response.setHeader("Access-Control-Allow-Origin",this.crossOriginAllowedSites);
                                             })



}


 @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    protected CorsFilter crossFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(false);
        config.setAllowedHeaders(Arrays.asList(crossOriginAllowedHeaders.split(",")));
        config.setAllowedOrigins(Arrays.asList(crossOriginAllowedSites.split(",")));
        //config.setAllowedHeaders("*"); whitelist all sites
        //config.setAllowedOrigins("*"); whitelist all headers
        config.addAllowedMethod(HttpMethod.OPTIONS);
        config.addAllowedMethod(HttpMethod.GET);
        config.addAllowedMethod(HttpMethod.POST);
        config.addAllowedMethod(HttpMethod.PUT);
        config.addAllowedMethod(HttpMethod.DELETE);
        config.addExposedHeader("Authorization");
        config.setMaxAge(new Long(1800));

        source.registerCorsConfiguration("/api/**", config);
        source.registerCorsConfiguration(MANAGEMENT, config);
        source.registerCorsConfiguration("/v2/api-docs", config);
        source.registerCorsConfiguration("/**", config);

        return new CorsFilter(source);
    }

}

I hope this will work

venkey
  • 66
  • 6
  • 1
    Thanks for your answer. I just realized that in my UrlBasedCorsConfigurationSource configuration, I set allowed origins to localhost:4200, which overwrites @CrossOrigin annotation on the rest controllers. I removed localhost:4200 and it works now. – Kun Zou Jan 02 '20 at 16:32