0

I'm trying to pass a GET-request from my Angular front-end to my Spring boot back-end. I'm using JWT to authenticate everything and I'm using an HTTP-interceptor to add the token in the request header like this:

@Injectable()
export class Interceptor implements HttpInterceptor {

    constructor(public auth: AuthService) { }

    intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {

        const token: string = this.auth.getToken();

        if(this.auth.isAuthenticated()) {
            request = request.clone({
                setHeaders : { Authorization : `${this.auth.getToken()}`,}          
            });
        }

        return next.handle(request);
    }
}

I don't see the token being added in chrome's request headers: image link

And the back-end doesn't see it either, thus returning a 403. I suspect that this has something to do with CORS (I'm hosting both front-end and back-end on the same machine, and I'm using Chrome + CORS plugin).

So I tried allowing CORS requests to my back-end:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();

    http.cors().disable()
            .authorizeRequests()
            .antMatchers("/login").permitAll()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .anyRequest().authenticated().and().addFilterBefore(new JwTokenFilter(jwTokenProvider), UsernamePasswordAuthenticationFilter.class);
}

This still doesn't seem to work. Also I've tried using Postman to do the same GET-request and that seems to work just fine. Can anyone help me out here?

AS Mackay
  • 2,831
  • 9
  • 19
  • 25
ThijsFreeze
  • 11
  • 1
  • 6

1 Answers1

1

Also override cors mapping or define @Bean for CorsMapping, please define your correct froent end origin I believe its as per your screen shot allowedOrigins("http://evil.com")

@Configuration
public class MvcConfig implements WebMvcConfigurer {


    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**").allowCredentials(true).allowedOrigins("http://evil.com")
                .allowedHeaders("Authorization", "Cache-Control", "Content-Type", "Accept", "X-Requested-With", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Origin")
                .exposedHeaders("Access-Control-Expose-Headers", "Authorization", "Cache-Control", "Content-Type", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Origin")
                .allowedMethods("GET", "OPTIONS", "POST", "PUT", "DELETE", "PATCH");
    }
}

or defining @Bean in configuration or you can also define Filter

   @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedOrigins("your origin or * for allow all");
            }
        };
    }

approach 2:

@CrossOrigin on the Controller

@CrossOrigin(origins = "http://example.com", maxAge = 3600)
@RestController
@RequestMapping("/account")
public class AccountController {
kj007
  • 6,073
  • 4
  • 29
  • 47
  • Thanks a lot for your suggestions! The problem seemed to be, that I was using a CORS-plugin aswell as trying to solve the issue on the Spring-boot settings. Disabling the plugin and adding the WebMvcConfigurer bean to the Application class solved this issue for me. Thanks once again! – ThijsFreeze Oct 18 '18 at 11:51