1

my backend app in spring boot and secured with ssl. I used OAuth2 facebook login. Also the frontend app in Angular 7 and secured by ssl. My problem is sending requests Angular to my Spring boot App. All apps is https.

P.S. All works if i add url to webSecurity.ignoring(). and not secure my backend. i think some problem with security and HTTPS requests. THANKS FOR HELP.

BACKEND

SecurityConfig.java

@RestController
@CrossOrigin(origins = "https://192.168.1.106:4400")
@Configuration
@Order(1000)
@EnableWebSecurity

public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UserRepo userRepo;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .cors().and()
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.GET, "/unauth/**").permitAll()
            .antMatchers(HttpMethod.POST, "/unauth/upload").permitAll()

            .antMatchers(HttpMethod.POST, "/api/**").authenticated()
            .antMatchers(HttpMethod.PUT, "/api/**").authenticated()
            .antMatchers(HttpMethod.DELETE, "/api/**").authenticated()
            .antMatchers(HttpMethod.GET, "/api/**").authenticated()
            .anyRequest().permitAll()
            .and().logout().logoutSuccessUrl("/").permitAll();

}

@Override
public void configure(WebSecurity webSecurity) {
    webSecurity.ignoring().antMatchers(HttpMethod.GET, "/unauth/**");
    webSecurity.ignoring().antMatchers(HttpMethod.POST, "/unauth/**");
}
  webSecurity.ignoring().antMatchers(HttpMethod.POST, "/unauth/**");
}

SomeRestController.java

 @RestController
 @CrossOrigin(origins = "https://192.168.1.106:4400")
  @RequestMapping ("/api")
 public class ProductService {



@Autowired
private ProductRepo productRepo;

@CrossOrigin(origins = "https://192.168.1.106:4400")
@GetMapping("/products")
public List<Product> getProducts(){
    return productRepo.findAll();

}

SpringBootApplication.java

@SpringBootApplication
@EnableOAuth2Sso
@CrossOrigin(origins = {"https://192.168.1.106:4400"}, allowCredentials = "false")
public class MongoTestApplication {

    public static void main(String[] args) {
        SpringApplication.run(MongoTestApplication.class, args);
    }
}

FRONTEND

SomeComponent.html < button (click)="makeRequest()"> MAKE REQUEST < /button >

SomeComponent.ts

val:any = {};
  makeRequest(){
    this.http.get("https://localhost:8443/api/products").subscribe(value =>  {this.val = value; console.log(this.val.key)});
  }

ERROR

error in browser

Access to XMLHttpRequest at 'https://localhost:8443/api/brands' from origin 'https://192.168.1.106:4400' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
core.js.pre-build-optimizer.js:15714 ERROR n {headers: t, status: 0, statusText: "Unknown Error", url: "https://localhost:8443/api/brands", ok: false, …}
Ibrahim Rajabli
  • 33
  • 1
  • 8
  • You set your cross-origin on the api side to https://192.168.1.106:4400, but accessing it from https://localhost:8443/api/products. Those are completely different domain names. Try accessing it using the IP (Port should be the same). Is there a Proxy server in between the client and backend, since you access 8443 and expect it to route to port 4400? – printfmyname Mar 18 '19 at 13:15
  • i try with all apps with localhost. same results. I think no matter about it. – Ibrahim Rajabli Mar 18 '19 at 13:35
  • Try this answer with a working solution to the same problem you are having, https://stackoverflow.com/questions/40286549/spring-boot-security-cors . – printfmyname Mar 18 '19 at 13:53
  • i use every possible about filtering. no results. just give Exception like `org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource ...'` – Ibrahim Rajabli Mar 18 '19 at 14:16
  • It is a frequent error with `Access-Control-Allow-Origin`. Try to search more. I suggest to search how to use `webpack proxy` to make the front and back looks like working on the same port. The annotation `@CrossOrigin(...)` you used is not a best practice. – Amir Choubani Mar 19 '19 at 09:51
  • @AmirChoubani one question. Why this working when I add this link to webSecurity.ignoring().antMatchers(HttpMethod.GET, "/api/**"); all worked perfectly. ? why we need same port ? it is different apps. and i think not need word one port. – Ibrahim Rajabli Mar 19 '19 at 10:29
  • webpack plugin make it easy to deal with `Access-Control-Allow-Origin`. With the solution you suggested, you said to spring security " hey, ignore any request of type get and post ect coming from outside to the url /api/** – Amir Choubani Mar 19 '19 at 11:11
  • okey I will search about it now. – Ibrahim Rajabli Mar 19 '19 at 11:14

1 Answers1

0

Edit your main class as below and remove all @CrossOrigin from the controllers.

import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@SpringBootApplication
@EnableOAuth2Sso
public class MongoTestApplication {

    public static void main(String[] args) {
        SpringApplication.run(MongoTestApplication.class, args);
    }

 @SuppressWarnings("deprecation")
    @Bean
        public WebMvcConfigurer corsConfigurer()
        {
            return new WebMvcConfigurerAdapter() {
                @Override
                public void addCorsMappings(CorsRegistry registry) {
                    registry.addMapping("/**").allowedMethods("GET", "PUT", "POST", "DELETE", "OPTIONS");
                }    
            };
        }
}
shreyansh sharma
  • 46
  • 2