2

Hopefully my final question to get all this working. Using Spring Security OAuth 2.0.8 and Spring-Web MVC 4.2.3 to expose the OAuth endpoints (the majority of the system uses RESTEasy for the REST endpoints, which has its own CORS filter).

I am trying to use the global default CORS support that is now in Web MVC 4.2.x. However, when issuing a test preflight request against the /oauth/token endpoint, I am always getting returned a 403 Invalid CORS Request response. Sample request from Fiddler is below.

OPTIONS http://localhost:8080/myapp/oauth/token HTTP/1.1
User-Agent: Fiddler
Host: localhost:8080
Origin: http://testfakeorigin.overtherainbow.com
Access-Control-Request-Method: POST

Even though this goes through and is determined to be a proper preflight request, it looks like the request fails in DefaultCorsProcessor at line 81 because the CorsConfiguration is null. Even if I explicitly add a CORS registry mapping in my WebMvcConfigurerAdapter (which shouldn't be necessary according to the docs), the config still ends up being null. Where should I look next?

Scott Balmos
  • 331
  • 4
  • 15

2 Answers2

0

Before the actual POST, you might automatically be issuing an OPTIONS request. By default, only the method that is specified in your RequestMapping is allowed. Therefore, you will have to explicitly allow the OPTIONS method for the cross origin request.

One way to do that, using the global configuration, is as follows:

@Override
public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**").allowedMethods("GET", "POST", "OPTIONS").allowedOrigins("http://testfakeorigin.overtherainbow.com");
}

This would enable cross origin requests for all you mapped requests using the GET, POST, and OPTIONS methods.

Patrick Kostjens
  • 5,065
  • 6
  • 29
  • 46
  • 1
    I did that but for me it didn't work, as you can see here: http://stackoverflow.com/questions/39307591/java-spring-rest-api-cors-not-working-for-delete-requests-via-jquery-with-chrome – mgaido Sep 05 '16 at 08:18
0

You can customize the CORS (Cross-Origin Resource Sharing) of entire app in your @Configuration class, that way all your controllers will be override automatically. Take a look:

@Configuration
@EnableWebSecurity( debug = true )
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
     /* ... configurations */
     @Bean
     public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
        config.addAllowedMethod(HttpMethod.POST);
        config.addAllowedMethod(HttpMethod.GET);
        config.addAllowedMethod(HttpMethod.PUT);
        config.addAllowedMethod(HttpMethod.DELETE);
        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
        return bean;
     }
}

Note: you can define the methods verbs that will applied in your config

Best Regards!

Cassio Seffrin
  • 7,293
  • 1
  • 54
  • 54