OPTIONS request forbidden in Spring Boot

Question

I read a lot of threads and solutions about this issue (including this SO solution), but I still have the 403 error when sending preflight requests.

I'm using Spring Data Rest and I can work well with my repositories as long as there is no OPTIONS sent. I do not use Spring Security yet but I plan to configure it soon. Here is my current configuration:

@Configuration
public class GlobalRepositoryRestConfigurer extends RepositoryRestConfigurerAdapter {

    @Override
    public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
        config.getCorsRegistry().addMapping("/**").allowedOrigins("*").allowedHeaders(
                "*").exposedHeaders("Location").allowedMethods("GET", "PUT", "POST", "DELETE",
                                                               "OPTIONS");
    }

    @Bean(name = DispatcherServletAutoConfiguration.DEFAULT_DISPATCHER_SERVLET_BEAN_NAME)
    public DispatcherServlet dispatcherServlet() {
        DispatcherServlet dispatcher = new DispatcherServlet();
        dispatcher.setDispatchOptionsRequest(true);
        return dispatcher;
    }
}

I also tried the application.properties option, and setting my allowedMethods to "*" , but I end up with the 403 no matter what. Below are the request/response headers I got from the OPTIONS request.

Request headers

Accept           text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Encoding  gzip, deflate
Accept-Language  fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Access-Control-Request-Headers   content-type
Access-Control-Request-Method    POST
Connection       keep-alive
Host             localhost:8080
Origin           http://localhost:4000
Referer          http://localhost:4000/
User-Agent       Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/64.0

Response headers

Allow            GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Content-Length   20
Date             Sun, 30 Dec 2018 08:49:00 GMT

Do you see anything wrong or something else I could try?

i think your corsconfiguration is overridden somewhere else in your application, can you verify that? — stacker, Dec 30 '18 at 10:36
There is no other place where a CORS configuration is explicitly defined, do you think it could be some default Spring configuration? How can I check that? Anyway, I already verified that the `allowMethods` works (there is a mismatch between the conf and response headers I posted, but I think I copied a request made with my previous conf that had more methods allowed), as well as the `exposeHeaders`. — Carrm, Dec 31 '18 at 08:32

score 0 · Accepted Answer · answered Jan 12 '19 at 14:43

0

I still don't know why my configuration didn't work for OPTIONS requests, but I managed to make it work with the WebMvcConfigurer. Here is the configuration class that solved my issue:

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
                .allowedOrigins("*")
                .allowedHeaders("*")
                .exposedHeaders("Location", "Access-Control-Allow-Origin");
    }
}

answered Jan 12 '19 at 14:43

Carrm

1,485
3
24
45

Not working in my case, might be another reason in my case – Marian Klühspies Dec 16 '19 at 07:57
See https://stackoverflow.com/questions/40009719/spring-boot-data-rest-cors-not-being-enabled-properly-for-options-delete/62666092 – LeslieM Jun 30 '20 at 21:05

OPTIONS request forbidden in Spring Boot

1 Answers1