0

i have a spring-rest application with oauth2 authentication. Everything works fine and i can receive a token and use it to authenticate and all that stuff. Now i am developing a frontend for the application with Angular2.

The main Problem here is: How can i allow CORS in my Oauth2 security configuration? I have managed to allow it in my Controller classes with the @CrossOrigin annotation, but how does it work in the security configuration?

i have tried this:

@Configuration
@EnableWebSecurity
public class OAuth2SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
        .csrf().disable()
        .anonymous().disable()
        .authorizeRequests()
        .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
        .and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

But i still got the error:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 401.

Beytullah Güneyli
  • 518
  • 2
  • 8
  • 21
  • https://stackoverflow.com/questions/20035101/no-access-control-allow-origin-header-is-present-on-the-requested-resource – StanislavL Jun 07 '17 at 11:10

1 Answers1

-1

According to the Spring doc the CorsConfigurationSource is not used as a bean but in a CorsFilter, see https://docs.spring.io/spring/docs/current/spring-framework-reference/html/cors.html#_filter_based_cors_support

public class MyCorsFilter extends CorsFilter {

    public MyCorsFilter() {
        super(configurationSource());
    }

    private static UrlBasedCorsConfigurationSource configurationSource() {
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("http://domain1.com");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", config);
        return source;
    }
}

Another way would be to provide a cors mapping in the WebMvcConfigurerAdapter, see https://docs.spring.io/spring/docs/current/spring-framework-reference/html/cors.html#_javaconfig

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/api/**")
            .allowedOrigins("http://domain2.com")
            .allowedMethods("PUT", "DELETE")
            .allowedHeaders("header1", "header2", "header3")
            .exposedHeaders("header1", "header2")
            .allowCredentials(false).maxAge(3600);
    }
}
Ralf Stuckert
  • 2,120
  • 14
  • 17
  • i am using the **WebSecurityConfigurerAdapter .** There is no method called "addCorsMappings" in this class. if i would use the first approach, what would i add in my configuration class? i added a new class called MyCorsFilter but i have no idea how to use it – Beytullah Güneyli Jun 07 '17 at 14:19
  • There is no method `addCorsMapping()` in the `WebSecurityConfigurerAdapter` since CORS is not part of Spring security. Just add a `WebMvcConfigurerAdapter` as described in the documentation. – Ralf Stuckert Jun 08 '17 at 05:50
  • i still got the same error, i have tried both approaches, but none of them seems to work. i can still make requests on postman, but not in my angular app – Beytullah Güneyli Jun 08 '17 at 10:08