8

I want to allow cross origin requests for one domain. My project uses Spring so I want to take advantage of the new CORS support.

I am using version 4.2.0 for all springframework dependencies.

I followed the example here https://spring.io/blog/2015/06/08/cors-support-in-spring-framework#disqus_thread and tried the first version. My controller annotations looks like:

@CrossOrigin(origins = "http://fiddle.jshell.net/", maxAge = 3600)
@Controller
@RequestMapping("/rest")
public class MyController

If I understood correctly the mvc-config is an alternative method. I tried it as well:

<mvc:cors>  
    <mvc:mapping path="/**"
        allowed-origins="http://fiddle.jshell.net/, http://domain2.com"
        allowed-methods="GET, PUT"
        allowed-headers="header1, header2, header3"
        exposed-headers="header1, header2" allow-credentials="false"
        max-age="123" />    
</mvc:cors>

With either methods, the Response doesn't seem to contain anything like Access-Control-Allow-Origin, neither can I get a result back through a simple query from jsfiddle.

The header info from Chrome developer tools, when ran and accessed from localhost is below. In this case the request is from the same domain and not through javascript, but I thought the CORS annotation would add the access control parameters anyway?

Response Headers:

Content-Length:174869 
Content-Type:text/html;charset=UTF-8 
Date:Fri, 21 Aug 2015 12:21:09 GMT 
Server:Apache-Coyote/1.1

Request Header:

      Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*\/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8,ro;q=0.6,de;q=0.4,fr;q=0.2
Cache-Control:no-cache 
Connection:keep-alive
Cookie:JSESSIONID=831EBC138D2B7E176DF4945ADA05CAC1;_ga=GA1.1.1046500342.1404228238; undefined=0 
Host:localhost:8080 
Pragma:no-cache 
Upgrade-Insecure-Requests:1 
User-Agent:Mozilla/5.0(Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

I do not use spring boot and I presume I missed a configuration step.

ilinca
  • 1,343
  • 15
  • 17
  • I also tried to use `@RestController` instead of `@Controller` but it didn't seem to make any difference to the headers. – ilinca Aug 21 '15 at 12:52
  • have you tried from another domain? If the request is not cross origin, then I don't see why the server should add CORS headers in the response – Brian Clozel Aug 21 '15 at 14:26
  • Have you been able to solve it somehow? I am having the same problem. – Serg Derbst Dec 01 '15 at 11:17
  • @SergDerbst I didn't get around using Spring CORS annotations. I used a Spring web filter (web.xml) instead and extended `org.springframework.web.filter.OncePerRequestFilter` for it. It worked at first try. – ilinca Dec 01 '15 at 12:07
  • 1
    Ok, thank you. I don't seem to get it to work either. I'll give it a shot again later this week, so if I am successful then, I'll let you know. – Serg Derbst Dec 01 '15 at 14:53
  • The best answer I found related to your question: http://stackoverflow.com/a/31748398/582789 , with a suggestion to use http://software.dzhuvinov.com/cors-filter.html – Alfonso Nishikawa Jun 14 '16 at 15:11

2 Answers2

3

I've reproduced this problem for myself. The problem happens when I don't have @EnableWebMvc annotation in my @Configuration annotated class. I've reported this problem as a bug in Sping Jira with details behind it: https://jira.spring.io/browse/SPR-13857

I see the fix either in code or in documentation. Documentation fix would be to state in @CrossOrigin class javadoc that @EnableWebMvc is required, but I'd prefer the fix in code so that cors annotation works without @EnableWebMvc.

Aleksey Korolev
  • 367
  • 3
  • 10
0

Could you try with "http://fiddle.jshell.net" instead of "http://fiddle.jshell.net/"?

Sébastien Deleuze
  • 5,950
  • 5
  • 37
  • 38
  • I just tried it & still don't see the CORS stuff in the header. Just for the record, I tested both from jsfiddle and plain from the browser. – ilinca Aug 24 '15 at 10:05
  • Could you please provide a simple project that reproduces this issue, and I will have a look. – Sébastien Deleuze Aug 24 '15 at 13:13