Spring security, OAUTH Cors, OPTIONS

Question

I have a spring boot application, with Oauth authentication and a resource server as well in one single application. I have my frontend on a separate server, from a separate location. My frontend application doesn't seem to proceed the preflight operation to the backend, which always responds with 401. My configuration looks as the follows:

// ... annotations
public class OAuthConfig extends WebSecurityConfigurerAdapter {

    // ... authencication providers

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
        .csrf().disable()
        .authorizeRequests()
            .antMatchers("/", "/*.html", "layout/**", "/js/**", "/css/**", "/images/**", "/font/**",
                    "/signup", "/register",
                    "/oauth/**")
            .permitAll()
            .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/oauth/**").permitAll()
            ;

        // @formatter:on
    }

    // ... beans
}

Note that I had to add exceptions for the static content as well, since it doesn't seemd to work other way, despite any documentations.

// ... annotations
public class MvcConfig extends WebMvcConfigurerAdapter {

// ... resource resolver, view resolver

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**");
    }

}

I have tried to specify more explicitly, but nothing succeeded as well:

@Override
public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/api/**").allowedMethods("GET","POST","OPTIONS","DELETE","UPDATE");
    registry.addMapping("/register");
    registry.addMapping("/signup");
    registry.addMapping("/oauth/**").allowedMethods("GET","POST","OPTIONS");
}

//... annotations
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    // ... resource id config

    @Override
    public void configure(HttpSecurity http) throws Exception {
        //@formatter:off
        http
        .anonymous().disable()
            .requestMatchers()
            .antMatchers("/api/**")
        .and()
            .authorizeRequests()
            .antMatchers("/api/**").authenticated()
        .and()
            .exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
        //@formatter:on
    }

}

At this point I can't figure out if I have missed anything important to configure, to achieve CORS over the authentication endpoint (as well as the other parts of API endpoints)

check out my answer to a similar question https://stackoverflow.com/a/55463965/1848555 — Caleb Kiage, Apr 01 '19 at 21:46

score 0 · Answer 1 · answered Nov 06 '16 at 18:21

If you got an HTTP 401 error, for me it doesn't mean CORS configuration is the problem. 401 is supposed to mean unauthorized, so the problem may be more in your security configuration. If it was a cross origin problem, you would have an error like "No 'Access-Control-Allow-Origin' header is present on the requested resource.".

As a matter of fact I have one of my application which got a HTTP 200 (OK) on a request that fails because of a cross origin problem.

And if you want help you should really provide details on the request/response where you got the 401 error code.

I know it's not a real answer but I don't have the reputation to comment yet, so I hope this will help.

score 0 · Answer 2 · answered Nov 06 '16 at 20:08

0

You can also configure CORS on server. Which will work for all APIs of your application. Or you to set 'Access-Control-Allow-Origin to *' in your resquest and response so that your api can give response to any request from any server.

answered Nov 06 '16 at 20:08

Satish Kr

590
5
12

Spring security, OAUTH Cors, OPTIONS

2 Answers2