CORS Spring Security configuration - 404 No 'Access-Control-Allow-Origin' header is present on the requested resource

Question

I am trying to setup CORS on my Java Spring project.

Separately I have an Angular CLI application with a login page, I would like to authenticate a user using my Spring API.

I am getting the error on the client

origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I get this on the server log:

No mapping found for HTTP request with URI [/authenticateUser]

I have tried a number of examples from other threads but the client error doesn't change so I am a bit confused where to configure cors

I have a AppSecurityConfig class which extends WebSecurityConfigurerAdapter

@Configuration
@EnableWebSecurity
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    User.UserBuilder users = User.withDefaultPasswordEncoder();

    auth.inMemoryAuthentication()
            .withUser(users.username("user1").password("password").roles("ROLE1"))
            .withUser(users.username("user2").password("password").roles("ROLE2"))
            .withUser(users.username("user3").password("password").roles("ROLE3"));
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.cors()
        .and()
        .authorizeRequests()
        .anyRequest()
        .authenticated()
        .and()
        .formLogin()
            .loginPage("/loginPageUrl")
            .loginProcessingUrl("/authenticateUser")
            .permitAll();
}

My Angular service makes the request:

authenticateUser(json: any) {
return this.http.post('http://localhost:8085/authenticateUser'
  , json, {headers : new HttpHeaders()
    .set('Authorization', '')
    });

}

The json passed in is:

{ username: this.username, password: this.password }

Adding the following method to my AppSecurityConfig class resolved the 'No 'Access-Control-Allow-Origin' header is present on the requested resource' error.

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("http://localhost:4200"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    configuration.addAllowedHeader("content-type");
    configuration.addAllowedHeader("Access-Control-Allow-Origin");
    configuration.addAllowedHeader("Authorization");
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

Sabir Khan · Accepted Answer · 2019-01-25T10:57:54.177

In my opinion , missing Access-Control-Allow-Origin header shouldn't have anything to do with an end point missing mapping issue. That might be another issue but not related to CORS.

First you should examine request & response headers in browser network tab ( when UI makes requests to API ) to see if CORS related headers are really missing in response.

These headers begin with - Access-Control-Allow-* & the one that controls origin is - Access-Control-Allow-Origin

Your security config code , http.cors() tries to add a CorsFilter as per below logic ( pasting Java Doc of http.cors() )

Adds a CorsFilter to be used. If a bean by the name of corsFilter is provided, that CorsFilter is used. Else if corsConfigurationSource is defined, then that CorsConfiguration is used. Otherwise, if Spring MVC is on the classpath a HandlerMappingIntrospector is used.

So if you don't have provided as what being asked in above then you need to provide that.

Refer this answer esp. section 3. customize CORS config

If time permits, go through Spring provided filter org.springframework.web.filter.CorsFilter to understand logic.

Many thanks. Adding CorsConfigurationSource fixed that issue (added code to post). I now have a 403 response which i'll spend some time looking at. — , Jan 28 '19 at 11:48
@user2670815: To get better help, you can always attach browser screenshot of network tab with as much details as possible. — Sabir Khan, Jan 28 '19 at 11:55

M. Stefanczuk · Answer 2 · 2019-01-24T14:19:10.930

0

Try this:

@Configuration
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**").allowedOrigins("http://domain1.com","http://domain2.com"
                    "http://domain3.com");
    }
}

Add addCorsMappings method to your configuration class and set allowed origins url which are urls of your Angular apps.

In your situation it will be:

registry.addMapping("/**").allowedOrigins("http://localhost:4200");

to allow requests from Angular app.

edited Jan 24 '19 at 14:19

answered Jan 24 '19 at 14:08

M. Stefanczuk

346
1
4
14

1

We can use : registry.addMapping("/**").allowedOrigins("*"); – IMParasharG Jan 24 '19 at 14:16
Done, get same error on the client. Also WebMvcConfigurerAdapter depreciated notification. – Jan 24 '19 at 14:39
I noticed I also have "No mapping found for HTTP request with URI [/authenticateUser]" on the tomcat log – Jan 24 '19 at 14:52

CORS Spring Security configuration - 404 No 'Access-Control-Allow-Origin' header is present on the requested resource

2 Answers2