CORS (Cross origin issue) while invoking Spring Rest services from Angular4

Question

We have a frontend app developed in Angular2 and services (REST services) are developed using Spring MVC. When frontend app i.e. javascript is calling service, we are facing a cross origin issue and service calls are not successful.

On research, there is an option to include CORSFilter on service side, but UI is calling around 30 services and all of them are separate deployables.

Making changes in 30 services is not a viable option, apart from making changes on services side, are there any other options available?

Please suggest.

Answer 1

I think there is no other way than enabling CORS on your server-side. Maybe you could encapsulate your API end points crafting a dedicated microservice and enable CORS on it.

Answer 2

There is a solution in spring boot you can find it in this link: https://spring.io/guides/gs/rest-service-cors/ I am not particularly sure what you need, but @crossOrigin(-->Link of your site<--) worked on my end.

---

EDIT

Here is for the global configuration in this link: https://spring.io/guides/gs/rest-service-cors/#_global_cors_configuration after adding this on my app it solved my issue.

Answer 3

I think, there is more here than meets the eye & its important to understand CORS first & then try to figure out solutions as folks are bringing in words like - Angular etc in CORS discussion.

Lets say you have developed & deployed APIs with intention of being consumed from specific UI code deployed at certain fixed URL/domain. As a server, CORS is a way to tell clients ( like browsers ) that even though I am serving this request but I am also telling you that this request didn't came from a UI domain that I as server expected ( by default - it has to be same origin ) so you take necessary action. When browser gets flagged by server, it suppresses server response and shows that request failed.

Above is indeed a very simplistic description and you should learn more about Same Origin Security policy.

Also, note that server flags client by setting response headers about origins that it supports but serves the response anyway so till this point you should understand two points ,

1. It has nothing to do with Angular and has everything to do with Browser
2. Its a client's prerogative what is does if server tells it that request doesn't came from origin / domain , it was expecting from. Usually only web browsers implement it & not done by clients like curl etc

Having that much said, would you like your APIs to be hosted on same domain that of UI domain? If not, then you need to change server side code to explicitly tell about CORS headers otherwise browser is going to keep failing it.

Solutions ,

1.Add annotation - org.springframework.web.bind.annotation.CrossOrigin to each of end points.

2.Add a global config to each deployable unit like illustrated here. Advantage being that these artifacts can further be deployed to different domains.

Don't just blindly copy - paste this line though, config.addAllowedOrigin("*"); , set it to specific domain that you wish to serve otherwise no point in having this security.

3.Write another deployable artifact handing your security stuff like CORS etc and this artifact will be the front for receiving all incoming requests & then responding after constructing responses from those 30 end points. Clients wouldn't directly interact with those 30 end points but only with this artifact. Obviously, this artifact would also be needed on same domain as those 30 end points.

Making changes in 30 services is not a viable option, apart from making changes on services side, are there any other options available?

I don't think there is any other solution than making code changes on server side. Nobody external to your team can dictate these on you because deployment model is very propriety subject and goes by need by need basis from organization to organization.

Origin header gets sent in request and is made up of the three parts: the protocol, host, and port number.