1

Hello I want to make an request to my Spring server. Now I'm getting an error because of an restricted CORS option. So I added an filter because the annotations doensn't work:

@Component
public class CORSFilter implements Filter {

    public CORSFilter() {

    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");

        chain.doFilter(request, response);
    }
    @Override
    public void init(FilterConfig filterConfig) {
    }
    @Override
    public void destroy() {

    }}

Now my problem is, that the cors filter won't work on an dart request. On an normal browser request the header is set but not in the dart http request.

Is there any solution which could fix this problem?

Update 23.09.2016: Here is the http://pastebin.com/9KNfx7Jd The problem is that the filter is not affected to this http call. Only when I access the file via URL in the browser it works.

Here with ajax:

Remote Address:127.0.0.1:8090 Request URL:http://localhost:8090/time/time/login Request Method:OPTIONS Status Code:401 Unauthorized Response Headers view source Cache-Control:no-cache, no-store, max-age=0, must-revalidate Connection:keep-alive Content-Length:114 Content-Type:text/html;charset=UTF-8 Date:Fri, 23 Sep 2016 12:57:55 GMT Expires:0 Pragma:no-cache Server:WildFly/10 Set-Cookie:JSESSIONID=ZIkzLq-iALC6CDx7r6LhPz_8PiD05Q9ufod6GluZ.ccn6dc2; path=/time WWW-Authenticate:Basic realm="Realm" X-Content-Type-Options:nosniff X-Frame-Options:DENY X-Powered-By:Undertow/1 X-XSS-Protection:1; mode=block Request Headers view source Accept:*/* Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Access-Control-Request-Headers:content-type Access-Control-Request-Method:GET Connection:keep-alive Host:localhost:8090 Origin:http://localhost:8080 Referer:http://localhost:8080/ User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.104 (Dart) Safari/537.36

And here without:

Remote Address:127.0.0.1:8090 Request URL:http://localhost:8090/time/time/login Request Method:GET Status Code:200 OK Response Headers view source Access-Control-Allow-Origin:* Cache-Control:no-cache, no-store, max-age=0, must-revalidate Connection:keep-alive Content-Length:5 Content-Type:text/html;charset=ISO-8859-1 Date:Fri, 23 Sep 2016 13:10:36 GMT Expires:0 Pragma:no-cache Server:WildFly/10 Set-Cookie:JSESSIONID=nQFjGB2m7ovHVT9VUnhtCJSXZvEZV4WWH0YCrgFk.ccn6dc2; path=/time X-Content-Type-Options:nosniff X-Frame-Options:DENY X-Powered-By:Undertow/1 X-XSS-Protection:1; mode=block Request Headers view source Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding:gzip, deflate, sdch Accept-Language:en-US,en;q=0.8 Authorization:Basic c2tvYmxlcjpTMW1vbjUyNzli Cache-Control:max-age=0 Connection:keep-alive Cookie:JSESSIONID=oHJ4GvQ8pFNv8HSujI49NRXQxoVSVMM580sSrvJW.ccn6dc2 Host:localhost:8090 Upgrade-Insecure-Requests:1 User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.104 (Dart) Safari/537.36

Edit 26.09.2016:

Okay I changed now my SecurityConfig to this:

@Override protected void configure(final HttpSecurity http) throws Exception { super.configure(http); http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class); http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll(); http.authorizeRequests().antMatchers("/**").authenticated(); } now the filter is beeing called but I get now a new error: Response for preflight has invalid HTTP status code 401

Headers: Access-Control-Allow-Origin:* Cache-Control:no-cache, no-store, max-age=0, must-revalidate Connection:keep-alive Content-Length:114 Content-Type:text/html;charset=UTF-8 Date:Mon, 26 Sep 2016 12:30:39 GMT

SepDev
  • 153
  • 11
  • What do you mean by a "dart request" ? You mean that in a request fired from dart code, the headers are not present in the response to the request? – Gimby Sep 22 '16 at 12:27
  • Yes that's what I mean – SepDev Sep 22 '16 at 12:27
  • Its not really possible to see what might be wrong if there is no information presented here. Some code of your dart application and a dump of an example HTTP request that is failing would be a start. – Gimby Sep 22 '16 at 13:22
  • [link](http://pastebin.com/9KNfx7Jd) here is the link to the http call function – SepDev Sep 22 '16 at 13:26

2 Answers2

2

It looks like your filter is not applied for OPTIONS requests.
A comment to this blog post indicates that OPTIONS requests need to be enabled explicitly:

https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

One "gotcha" that I found when working with CORS with Spring MVC (when using a Filter or HandlerInterceptor) and Spring Security is that you need to explicitly permit all OPTIONS requests to properly handle the pre-flight. The W3C specification for CORS says that pre-flight requests should not send credentials, however I have found that some browsers do send the credentials, and others don't. So if you don't permitAll OPTIONS you get a 403 if the browser is not sending the credentials.

Will pre-flights requests be something that will need to be specifically configured when using Spring Security or will the pre-flight be handled before the filter chain?

See also

Community
  • 1
  • 1
Günter Zöchbauer
  • 623,577
  • 216
  • 2,003
  • 1,567
  • alright I did the following in the SecurityConfig class: `http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll();` but it didn't fixed the error `XMLHttpRequest cannot load http://localhost:8090/time/time/jsontime. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 401.` – SepDev Sep 26 '16 at 07:28
  • And this fixed your issue? – Günter Zöchbauer Sep 26 '16 at 07:28
  • sorry, had problems with the new line ^^. Nope it didn't :(. I edited the comment above. – SepDev Sep 26 '16 at 07:31
  • I don't know much about Spring, but I'm sure this needs to be fixed on the server not on the Dart side (I stumbled upon your question because of the Dart tag). – Günter Zöchbauer Sep 26 '16 at 07:33
  • so when I disable the Security it works fine. But I have to use the security because of the user cridentials. Maybe there is another workaround that could fix this problem. – SepDev Sep 26 '16 at 07:34
  • yes it is not called within an dart request. In an normal request by the browser it is called. – SepDev Sep 26 '16 at 07:38
  • If you load the URL directly from the browser URL bar, then it's not a CORS situation. CORS is when the page is loaded from a different URL (different server or different port) than the request you make from your code. This means that no `OPTIONS` preflight request is made at all when you insert the URL to the browsers URL bar and a `GET` is made instead. You need to configure your server to properly respond to `OPTIONS` requests. – Günter Zöchbauer Sep 26 '16 at 07:40
  • So I did the following: I changed the RequestMapping to method = OPTIONS but still same error (401) – SepDev Sep 26 '16 at 07:45
  • Can you exclude `OPTIONS` requests from security? For an `OPTIONS` request there should only be an empty response with the CORS headers set, and it is therefore not security relevant – Günter Zöchbauer Sep 26 '16 at 07:48
  • I did this already: `http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll();` – SepDev Sep 26 '16 at 07:50
  • You can try http://stackoverflow.com/questions/14481850/how-to-send-a-http-options-request-from-the-command-line/14489636 to see if you can reproduce outside Dart. – Günter Zöchbauer Sep 26 '16 at 07:51
  • So what I did, I used the extension **postman** which outputs the following: ` Error Access is denied ` so that means, I think that the security doesn't work well. – SepDev Sep 26 '16 at 08:47
0

Ok I worked around with disabling the web security for chromium. Thanks to all of you for helping me :)

SepDev
  • 153
  • 11