Response for preflight has invalid HTTP status code 401 - Spring

Question

everyone. I'm new to Angular 2 and Spring Framework. I'm trying a simple get request with an authorization header (basic auth).

I'm using Spring Boot (1.2.6.RELEASE), which can also be relevant. My CORS configuration looks like this.

@Component
public class SimpleCorsFilter implements Filter {

private final Logger log = LoggerFactory.getLogger(SimpleCorsFilter.class);

public SimpleCorsFilter() {
    log.info("SimpleCORSFilter init");
}

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
    response.setHeader("Access-Control-Allow-Credentials", "true");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me, authorization, x-auth-token");

    chain.doFilter(req, res);
}

@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void destroy() {
}

}

And here's what it looks like from the client side

    this.headers.append('Authorization', 'Basic dXNlcjphZG1pbg==');
    return this.http
            .get(`http://localhost:8080/api/login?username=${username}`, {headers : this.headers} )
            .map(response => response.json().data as any);
}

I keep getting:

XMLHttpRequest cannot load http://localhost:8080/api/login?username=user. Response for preflight has invalid HTTP status code 401

Please help, i don't know what i'm missing... I checked around a lot of posts already but couldn't get there...

HTTP 401 means your request can't be fulfilled because of missing authorization, check if is working — Bond - Java Bond, Nov 02 '16 at 05:11
Can you remove the response.setHeader("Access-Control-Allow-Credentials", "true"); and try out ? — Tharsan Sivakumar, Nov 02 '16 at 10:12
related: https://stackoverflow.com/questions/30632200/standalone-spring-oauth2-jwt-authorization-server-cors — jaco0646, Jun 14 '18 at 16:50

score 10 · Answer 1 · answered Mar 15 '18 at 05:12

10

This could be very late but this could solve some ones problem, after long hours i found the answer

public class SecurityConfig extends WebSecurityConfigurerAdapter
{
    @Override
    public void configure( WebSecurity web ) throws Exception
    {
        web.ignoring().antMatchers( HttpMethod.OPTIONS, "/**" );
    }
}

Refer https://stackoverflow.com/a/45830981/3724760

answered Mar 15 '18 at 05:12

kvk95

130
2
9

This needs to be the top answer - got here after hours and hours of crawling through the Spring docs, github and SO – DonieM Mar 22 '18 at 12:05
I have spent a few hours until I finally found this answer. – deniswsrosa Sep 18 '18 at 18:37

score 8 · Accepted Answer · answered Nov 02 '16 at 07:30

8

avoid filtering and set status 200 when http method is OPTIONS

if("OPTIONS".equalsIgnoreCase(request.getMethod())) {
    response.setStatus(HttpServletResponse.SC_OK);
} else {
    chain.doFilter(req, res);
}

answered Nov 02 '16 at 07:30

Eswar

4,923
1
12
17

Thanks @Eswar , I'm not getting the error anymore. However, is ignoring the OPTIONS request a good implementation? I'm asking because i really don't know. – Manuel Zamith Nov 02 '16 at 11:44
we can validate request headers and send status code without filter. browser is making preflight request whenever we send Authorization in header, so we are just validating origin and throwing error status code. ignoring OPTIONS will not affect other http methods as we are filtering, but I am unsure that its good implementation or not. – Eswar Nov 02 '16 at 12:12

Yogen Rai · Answer 3 · 2017-09-24T01:21:16.343

If there is anyone getting into the similar situation working around with Spring Boot, Spring Security and clients like angular 2/4, I've posted the findings here.

For those who are looking for a short answer, you have to configure two things:

With Spring Boot, the recommended way to enable global CORS is to declare within Spring MVC and combined with fine-grained @CrossOrigin configuration as:

@Configuration
public class CorsConfig {

    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*")
                        .allowedHeaders("*");
            }
        };
    }
}

Then, while working with Spring Security, you have to enable CORS at Spring Security level as well to allow it to leverage the configuration defined at Spring MVC level as:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()...
    }
}

Cheers!!!

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/low-quality-posts/17426158) — khelwood, Sep 23 '17 at 23:21
@khelwood updated the answer, but why down voting?? is this something like judging a book by the cover? if i hadn't had updated the answer, i would have appreciated. — Yogen Rai, Sep 24 '17 at 01:23

Response for preflight has invalid HTTP status code 401 - Spring

3 Answers3

Linked