0

I am having a problem where my code encounters CORS errors. The code works if I run it from a chrome instance with --disable-web-security. I have the following code in my Spring ApplicationConfig:

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurerAdapter() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/**").allowedOrigins("*").allowedMethods("*").allowedHeaders("*");
        }
    };
}

When my front end submits its OPTIONS request succeeds with status 200 and the response has the following headers: 

 Request URL: http://127.0.0.1:9000/oe/Auth/login
Request Method: OPTIONS
Status Code: 200 OK
Remote Address: 127.0.0.1:9000
Referrer Policy: no-referrer-when-downgrade
Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, X-Requested-With
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT, PATCH
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Fri, 14 Sep 2018 01:27:15 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

When it then submits the POST to login in I get the following console error:

Failed to load http://127.0.0.1:9000/oe/Auth/login: 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'http://localhost:3000' is therefore not allowed access.

Here is the network tab

Request URL: http://127.0.0.1:9000/oe/Auth/login
Request Method: POST
Status Code: 200 OK
Remote Address: 127.0.0.1:9000
Referrer Policy: no-referrer-when-downgrade
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Mon, 17 Sep 2018 20:19:48 GMT
Expires: 0
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: SESSION=ZjlhYTE5NmMtNDk3NC00Yzc4LTk1MDYtN2FjNzBhMjFhMGI0; Path=/oe/; HttpOnly
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Is this because spring security grabs this request before something happens with my CorsRegistration?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
lvoelk
  • 2,390
  • 1
  • 12
  • 16
  • 1
    *The response had HTTP status code 500* – sideshowbarker Sep 14 '18 at 02:19
  • if by that you mean its not a cors issue its actually an internal server error, that is not the issue. According the the access logs the second request never even gets to the server it gets blocked by the browser as the error statement implies with the first parth about Access-Control-Allow-Origin – lvoelk Sep 14 '18 at 02:27
  • If the browser gets a 500 response to a CORS preflight OPTIONS, the CORS protocol requires the browser to stop right there & not try to send the POST from your code. That’s the whole purpose of the browser sending that OPTIONS to begin with: To find out from the server if it’s OK to proceed. And for the browser to decide it’s OK to proceed, it needs to see a 200 OK success response to that OPTIONS, not a 500. So even if that 500 response included the Access-Control-Allow-Origin header, your request would still fail—because the preflight would still fail, since the response code’s not a 200 OK – sideshowbarker Sep 14 '18 at 02:38
  • The options request succeeds I updated the text above to make that more clear it is the post request that fails and the response headers on the post do not contain any of the headers that the options request possessed. This is really more of a Spring and Spring security question I think. My best guess is that spring-security is intercepting the post request prior to the CORS Registration being used to set the headers. – lvoelk Sep 14 '18 at 02:41
  • Yeah, it’s likely the cause of that 500 occurs in the server system before your application code is ever even run. But anyway most servers by default don’t add headers to 5xx and 4xx error responses — instead they just add them to 2xx responses and maybe to 3xx responses. To get a server to add headers to error responses, you typically need to add some non-default config. For example, with nginx and Apache, you need to add an 'always' parameter to the directive that sets the header. – sideshowbarker Sep 14 '18 at 02:54
  • Tested by disabling web security in local browser and the 500 error went away and request worked, still seems like there is something wrong in my spring cors set up. – lvoelk Sep 14 '18 at 03:18

1 Answers1

0

A friend refereed me to an answer nested further down in the following post. You do have to do extra work with spring security for cors: https://stackoverflow.com/a/43559288/3459721

lvoelk
  • 2,390
  • 1
  • 12
  • 16