3

I am running a jHipster instance with oAuth authentication and CORS enabled on the server. I've added the following bean:

@Bean
public CorsFilter corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.setAllowedMethods(Arrays.asList(new String[]{"GET", "PUT", "POST", "DELETE", "OPTIONS"}));
    source.registerCorsConfiguration("/api/**", config);
    source.registerCorsConfiguration("/v2/api-docs", config);
    source.registerCorsConfiguration("/oauth/**", config);
    return new CorsFilter(source);
}

and added .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll() to ResourceServerConfiguration configuration.

When I attempt to authenticate a user (using jHipster running on a server) from an app running locally on a browser, I get: Request Method:OPTIONS - Status Code:401 Unauthorized

It seems CORS is not configured properly to handle pre-flight authentication POST requests.

I've tried to implement some solutions proposed at Spring Data Rest and Cors and Spring Data Rest and Cors to no avail.

Is this something specific that can be done in jHipster to enabled authentication to work from a browser or app (not running on the jhipster server)?

Community
  • 1
  • 1
jvence
  • 417
  • 5
  • 16
  • What version of JHipster are you using? If it's a recent version, you can enable CORS by simply uncommenting the "cors" section in application.yml. – Matt Raible Feb 24 '16 at 23:21
  • @MattRaible Hi Matt, thanks for looking into this (BTW I'm a big fan of your work and the volkswagen of course). In any case, I am using jHipster 2.23.0. CORS is already enabled but there some issue with the preflight authentication POST as described above. My own services work fine with CORS. – jvence Feb 25 '16 at 07:13
  • I'm a big fan of my VW too! I can't wait until it's finished. ;) Have you tried adding these extra lines to the CsrfCookieGeneratorFilter? http://jhipster.github.io/tips/006_tips_enable_cross_origin_requests.html – Matt Raible Feb 26 '16 at 13:45
  • @jvence hi, any luck with this? I am running into the same issue.. – i_raqz Mar 21 '16 at 21:36
  • @i_raqz Sorry no luck. Just waiting for jHipster 3.0 to come out and will see if it still exists – jvence Mar 22 '16 at 16:21
  • @jvence I just raised an issue on jhipster's repo. https://github.com/jhipster/generator-jhipster/issues/3237 Hopefully it gets fixed soon. I need to go prod using this :( Is there any alternate or a workaround? – i_raqz Mar 22 '16 at 18:13
  • @i_raqz Did you end up solving this issue? Having a similar issue with jHipster 3.0 (using the executable generated war file) – jvence Apr 01 '16 at 05:53

1 Answers1

5

I uncommented lines of CORS

cors: #By default CORS are not enabled. Uncomment to enable.
    allowed-origins: "*"
    allowed-methods: GET, PUT, POST, DELETE, OPTIONS
    allowed-headers: "*"
    exposed-headers:
    allow-credentials: true
    max-age: 1800

Added in SecurityConfiguration

            **.antMatchers(HttpMethod.OPTIONS, "/**")**
@Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, "/**")
            .antMatchers("/scripts/**/*.{js,html}")
            .antMatchers("/bower_components/**")
            .antMatchers("/i18n/**")
            .antMatchers("/assets/**")
            .antMatchers("/swagger-ui/index.html")
            .antMatchers("/api/register")
            .antMatchers("/api/activate")
            .antMatchers("/api/login/**")
            .antMatchers("/api/account/reset_password/init")
            .antMatchers("/api/account/reset_password/finish")
            .antMatchers("/test/**");
    }

And it has been working so far.

i_raqz
  • 2,919
  • 10
  • 51
  • 87