5

I am making a web with Angular 5 and I am getting this error every time I try to do a GET request. I've read tons of tons of answers here and none of them working for me.

As I've read it's because I am adding custom headers to this request which needs to be done because I am using Spring Security which I think is causing the problem. This is my current Spring Security config which I've made out of reading questions but still not working, I don't know if I am doing something wrong in it:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import java.util.Arrays;

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors()
                .and()
                .authorizeRequests().anyRequest().permitAll()
                .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf().disable();
    }

    @Override
    public void configure(WebSecurity web ) throws Exception
    {
        web.ignoring().antMatchers( HttpMethod.OPTIONS, "/**" );
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
        configuration.setExposedHeaders(Arrays.asList("x-auth-token"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

Hope you can give a hand on this bec I've been struggling for a few days with this. I think obviously the problem here is CORS, my GET request being converted to an OPTIONS one bec of the custom headers and Spring Security.

Also I'd like to mention that I am using Spring Boot with Jersey.

Thanks.

Ikar Pohorský
  • 4,617
  • 6
  • 39
  • 56
Wrong
  • 1,195
  • 2
  • 14
  • 38

2 Answers2

4

I was able to solve this problem like this:

My WebMvcConfiguration:

@Configuration
@EnableWebMvc
public class WebConfiguration extends WebMvcConfigurationSupport {

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/**");
    }

}

My Security Configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
      http.cors().disable()
          .authorizeRequests()
          .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
          .anyRequest()
          .fullyAuthenticated()
          .and()
          .httpBasic()
          .and()
          .csrf().disable();
}
RubioRic
  • 2,442
  • 4
  • 28
  • 35
Fabiano Góes
  • 64
  • 3
  • 2
    Awesome that you're making answers! I hope you wouldn't mind just a few pointers? When you're making an answer, you should try to find sources and explain why the problem happened in the first place, how you fixed it and why it works. This would get you a lot more rep! Again: it's great to have you on board and that you're trying to help, and that's only what I'm trying to do too! – Andreas Storvik Strauman Sep 07 '18 at 17:28
  • What does the first class do @fabiano ? – Wrong Sep 28 '18 at 09:12
  • 2
    This line fixed it for me: `.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()` – RiesvGeffen Dec 10 '18 at 18:48
0

Add following configuration ,

@Configuration
public class CorsConfig {
    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*")
                        .allowedHeaders("*");
            }
        };
    }
}
Naveen Perera
  • 1
  • 3