0

I would like to add custom headers to Oauth2 token response for my spring application. Specifically it involves CORS headers i.e. Access-Control-Allow-Origin... I have managed to add them to 401 responses but have no luck with 200 ones.

I have looked everywhere and debugged the project with no result. I have tried adding those headers through interceptor but response still does not contain them. Any ideas?

I'm using Spring security with annotation configuration.

I have asked similar question here: Allow OPTIONS HTTP Method for oauth/token request where you can check my spring configuration.

Community
  • 1
  • 1
Wojtek Wysocki
  • 488
  • 1
  • 5
  • 9

2 Answers2

3

Use this Cors Filter (or maybe it works if you add the last lines of my version to your version) and you don't have the problem you mention in you other linked post!

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {

public SimpleCorsFilter() {
}

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse response = (HttpServletResponse) res;
    HttpServletRequest request = (HttpServletRequest) req;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization");

    if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
        response.setStatus(HttpServletResponse.SC_OK);
    } else {
        chain.doFilter(req, res);
    }
}

@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void destroy() {
}

}
Michael K.
  • 2,392
  • 4
  • 22
  • 35
  • I've ended up using apache proxy for my server and html so I did not have to deal with those issues anymore. IMO this is the best option as problems with CORS were just piling up. Also security-wise it's better to only have one port to deal with. – Wojtek Wysocki Jun 23 '15 at 11:13
1

It turned out I was using wrong method in my interceptor

for anyone interested, my working code is as follows:

return new AuthorizationServerConfigurer() {
...
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        ...
        endpoints.addInterceptor(new HandlerInterceptorAdapter() {

            @Override
            public boolean preHandle(HttpServletRequest hsr, HttpServletResponse rs, Object o) throws Exception {
                rs.setHeader("Access-Control-Allow-Origin", "*");
                rs.setHeader("Access-Control-Allow-Methods", "GET");
                rs.setHeader("Access-Control-Max-Age", "3600");
                rs.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
                return true;
                }
            });
        }
    }
}
Wojtek Wysocki
  • 488
  • 1
  • 5
  • 9