spring CORS and angular not working : HTTP status code 403 error

Question

I am new to angular and spring-security.I am having problem with CORS when trying to log in from angular login-form page using basic authentication to the rest endpoint. My Angular code is running on http://localhost:4200 and rest end point on http://localhost:8181. My angular login-form tries to make request to http://localhost:8181/token which I have specified in my login controller. Even though I have added cors configuration in server side, I get this error :-

Failed to load http://localhost:8181/token: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 403.

(angular) login.service.ts:-

@Injectable()
export class LoginService {
  constructor(private http: Http) {}

  sendCredential(username: string, password: string) {
    const url = 'http://localhost:8181/token';
    const encodedCredential = username + ':' + password;
    const basicHeader = 'Basic ' + btoa(encodedCredential);
    const headers = new Headers();
    headers.append('Content-Type', 'application/x-wwww-form-urlencoded');
    headers.append('Authorization' ,  basicHeader);
    const opts = new RequestOptions({headers: headers});
    return this.http.get(url, opts);
  }

}

(spring) SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String[] PUBLIC_MATCHERS = {
            "/css/**",
            "/js/**",
            "/image/**",
            "/book/**",
            "/user/**"
    };

@Override
    protected void configure(HttpSecurity http) throws Exception{
        http
                .cors().and()
                .csrf().disable()
                .httpBasic()
                .and()
                .authorizeRequests()
                .antMatchers(PUBLIC_MATCHERS)
                .permitAll()
                .anyRequest()
                .authenticated();
    }
 @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST","DELETE","PUT","OPTIONS"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userSecurityService).passwordEncoder(passwordEncoder());
    }

LoginController.java

@RestController
public class LoginController {

    @Autowired
    private UserService userService;

    @RequestMapping("/token")
    public Map<String, String> token(HttpSession session, HttpServletRequest request) {
        String remoteHost = request.getRemoteHost();
        int portNumber = request.getRemotePort();
        String remoteAddr = request.getRemoteAddr();

        System.out.println(remoteHost + ":" + portNumber);
        System.out.println(remoteAddr);


        return Collections.singletonMap("token", session.getId());
    }
}

CORS seems to be deactivated (https://spring.io/understanding/CORS) — Zooly, Nov 01 '17 at 14:56
I have added CORS configuration in SecurityConfig class as shown above in code block — Tsetiz Bista, Nov 01 '17 at 14:58
problem is with your authentication mechanism, somehow it's not able to authenticate user. So it returns 403 status — Nitishkumar Singh, Nov 01 '17 at 15:03
when i use traditional approach where the class implement Filter interface and perform filterChain.doFilter for every request/response for cors handling instead of spring CorConfigurationSource it works fine. — Tsetiz Bista, Nov 01 '17 at 15:15

score 9 · Accepted Answer · answered Nov 17 '17 at 09:01

Try this configuration. It should work fine for you.

@Bean
CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
        configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
        configuration.setAllowCredentials(true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

Since you are using spring security / authentication. You should use setAllowCredentials(true).

No matter what I do I'm getting 403. I am using KeycloakWebSecurityConfigurerAdapter with your code, I've tried a bunch of similar code. — ancm, Sep 25 '19 at 00:49
@ancm - it is very difficult to understand the exact problem without looking at the stack trace. Perhaps https://stackoverflow.com/questions/42153070/keycloak-spring-boot-not-authenticating-rest-endpoint or https://stackoverflow.com/questions/53493809/keycloak-integration-with-spring-boot or https://stackoverflow.com/questions/45051923/keycloak-angular-no-access-control-allow-origin-header-is-present might be helpful for you. — vsoni, Sep 28 '19 at 17:22

score 3 · Answer 2 · edited Nov 19 '18 at 05:12

3

I was stuck with this problem for 2 days and by adding @CrossOrigin("*") in controller solved my problem.

note: you can put your origin address instead of *

edited Nov 19 '18 at 05:12

Harsha Biyani

7,049
9
37
61

answered Nov 19 '18 at 04:51

laynurraa

31
3

Thank you, I was searching for a solution for this problem, for almost 6 hours. – wael jawadi Sep 01 '22 at 15:54

score 1 · Answer 3 · answered Nov 01 '17 at 16:19

1

Use

@CrossOrigin("http://your-foreign-site/")
@RequestMapping("/token")

instead.

answered Nov 01 '17 at 16:19

Peter Rader

237
3
14

2

But I want to add cors configuration in global level. Not in the controller. – Tsetiz Bista Nov 01 '17 at 16:27

score 0 · Answer 4 · answered Nov 17 '17 at 04:35

0

inside your controller use the value from a .properties file

@Value("${cors.site.enable}") private String site;

use @crossOrigin(site)

answered Nov 17 '17 at 04:35

Amr Alaa

545
3
7

score 0 · Answer 5 · answered Dec 27 '17 at 11:12

0

Add

<mvc:cors>
    <mvc:mapping path="/**" />
</mvc:cors>

to your web.xml to allow connections from all hosts

Origin: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

answered Dec 27 '17 at 11:12

stfbee

431
5
10

spring CORS and angular not working : HTTP status code 403 error

5 Answers5