2

I am having a hard-time to get Global CORS configuration using Java config to work. I'm not sure if it is a known issue because other people also have the same problem: Spring Global CORS configuration not working but Controller level config does

Anyway, let me elaborate further what I am trying to do:

I'm using Spring 4.2.3.RELEASE (no spring boot). I am trying to configure Global CORS configuration using Java config so that I can inject the CORS domain (allowed-Origin) using @Value from the property file. Because to my knowledge, I cannot inject the value in mvc xml namespace for the allowed-origin as illustrated bellow (please let me know if you know any other approach to this problem):

<mvc:cors>
        <mvc:mapping path="/**" allowed-origins="${vrm.cors.domain}"
                     allowed-methods="*"
                     allowed-headers="*"
                     allow-credentials="false" max-age="3600"/>
</mvc:cors>

From Spring reference document here, I am trying to configure Global CORS using java config to solve the problem. However, I cannot get CORS to work. The codes does call during application startup but call from the clients always return

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
    @Value("${vrm.cors.domain}")
    //vrm.cors.domain=/**
    private String corsDomain;

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**").
        .allowedOrigins(vrm.cors.domain);
    }
}
Community
  • 1
  • 1
Dane Savot
  • 162
  • 1
  • 9

1 Answers1

0

According to this answer https://stackoverflow.com/a/33823253

You can enable cors like this:

@EnableWebSecurity
@Configuration
class SecurityConfig extends WebSecurityConfigurerAdapter {

  private final AppProperties appProperties;

  @Autowired
  public SecurityConfig(AppProperties appProperties) {
    this.appProperties = appProperties;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .addFilterBefore(corsFilter(), SessionManagementFilter.class) //adds your custom CorsFilter
        .authorizeRequests()
        .antMatchers("/**")
        .permitAll()
        .and()
        .csrf()
        .disable();
  }

  private CorsFilter corsFilter() {
    return new CorsFilterAdapter(
        appProperties.getClientUrls(),
        appProperties.getHeaders(),
        appProperties.getMethods())
        .corsFilter();
  }
}

Where CrosFilterAdapter is something like this:

public class CorsFilterAdapter {

  private final String[] clientUrls;
  private final String[] headers;
  private final String[] methods;

  public CorsFilterAdapter(String clientUrls, String headers, String methods) {
    this.clientUrls = clientUrls.split(",");
    this.headers = headers.split(",");
    this.methods = methods.split(",");
  }

  public CorsFilter corsFilter() {
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(false);
    for (String clientUrl : clientUrls) {
      config.addAllowedOrigin(clientUrl);
    }
    for (String header: headers) {
      config.addAllowedHeader(header);
    }
    for (String method : methods) {
      config.addAllowedMethod(method);
    }
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", config);
    return new CorsFilter(source);
  }
}
Alex Po
  • 1,837
  • 1
  • 24
  • 28