1

I am enabling CORS in web security configuration:

@Configuration
@EnableWebSecurity
public class MyWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .cors().and()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers( "/forms/**").permitAll()
                .antMatchers( "/member/login").permitAll()
                .antMatchers( "/member/signup").permitAll()
                .anyRequest().authenticated()
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/member/logout")).logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
                .and().requestCache().requestCache(new NullRequestCache());
    }

    @Bean
    public JsonUsernamePasswordAuthenticationFilter authenticationFilter() throws Exception {

    JsonUsernamePasswordAuthenticationFilter authenticationFilter = new JsonUsernamePasswordAuthenticationFilter();
    authenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler());
    authenticationFilter.setAuthenticationFailureHandler(authenticationFailureHandler());
    authenticationFilter.setAuthenticationManager(authenticationManagerBean());
    authenticationFilter.setFilterProcessesUrl("/member/login");
    authenticationFilter.setPasswordParameter("password");
    authenticationFilter.setUsernameParameter("email");
    authenticationFilter.setPostOnly(true);
    return authenticationFilter;
    }
}

And JsonUsernamePasswordAuthenticationFilter:

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

    if(CorsUtils.isPreFlightRequest(request) || request.getMethod().equals(HttpMethod.OPTIONS.name())) response.setHeader("Allow", HttpMethod.POST.name());

    if (this.postOnly && !request.getMethod().equals("POST")) {
        return null;
    } else {

        MemberLogin login = getAuthenticationRequest(request);

        if (login.getEmail() == null) login.setEmail("");
        if (login.getPassword() == null) login.setPassword("");

        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(login.getEmail(), login.getPassword());
        setDetails(request, token);
        return getAuthenticationManager().authenticate(token);
    }
}

When I run my project with ionic cordova emulate -l -c ios in the simulator, my POST requests for /members/login (authentication filter) fail with the following error, whereas the POST requests for /members/signup (a controller endpoint) succeed:

{"headers":{"normalizedNames":{},"lazyUpdate":null,"headers":{}},"status":0,"statusText":"Unknown Error","url":null,"ok":false,"name":"HttpErrorResponse","message":"Http failure response for (unknown url): 0 Unknown Error","error":{"isTrusted":true}}

And the error from Web Inspector is as follows:

[Error] Origin http://172.20.10.2:8100 is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load http://172.20.10.2:8080/member/login due to access control checks.
[Error] Failed to load resource: Origin http://172.20.10.2:8100 is not allowed by Access-Control-Allow-Origin. (login, line 0)

Headers for the response of an OPTIONS request are as follows:

Allow →POST
X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Content-Length →0
Date →Fri, 05 Apr 2019 11:53:58 GMT

and headers for the response of a POST request are:

X-Content-Type-Options →nosniff
X-XSS-Protection →1; mode=block
Cache-Control →no-cache, no-store, max-age=0, must-revalidate
Pragma →no-cache
Expires →0
X-Frame-Options →DENY
Access-Control-Expose-Headers →*
Access-Control-Allow-Origin →*
x-auth-token →b5f39afe-ad54-40b1-a690-0c79f800abd6
Content-Length →0
Date →Fri, 05 Apr 2019 12:08:30 GMT

which are identical to the headers for requests to /member/signup.

This states that --livereload still brings up a web server with requests having origin, so one can run into CORS issues, but event when I run without it (actually package the app and distribute within my organisation) my requests still fail (with ionic cordova build ios and from XCode project).

So my questions are:

  1. Why my request fails even when I pack the app and distribute without livereload (shouldn't the origin of my requests be empty?)
  2. How can I enable CORS for my authentication filter?

References:

  1. This here references the ionic proxy. I cannot use a proxy in production. I would like to know how I can enable CORS, and actually, why it is happening in the first place without an origin on the device.

  2. This doesn't help, I am running into the same issue.

  3. This one doesn't help either.

Hasan Can Saral
  • 2,950
  • 5
  • 43
  • 78
  • @sideshowbarker Thanks for the comment, I've updated the question with the single error message I can log. From the `status` field being `0` in the message, I understand that the error is on the angular/ionic level, most likely an `OPTIONS` related CORS issue. – Hasan Can Saral Apr 03 '19 at 17:54
  • @HasanCanSaral As far as I know, when you run an ionic app in the simulator, it doesn't issue CORS preflight requests. The status 0 suggests that you have a network error. Can your simulator access your server? – Caleb Kiage Apr 03 '19 at 21:40
  • Also, you shouldn't turn off security for all `OPTIONS` requests since not all of them are CORS related requests. The `http.cors()` should be enough to allow CORS requests through. – Caleb Kiage Apr 03 '19 at 21:43
  • @CalebKiage You are right, the simulator shouldn't run into CORS issues, at least without livereload. That's indeed yet another problem. I can, however, access the api from Safari within the simulator, for example. – Hasan Can Saral Apr 04 '19 at 20:13
  • @sideshowbarker Thanks for the comment. I have, in the past, run into [CORS issues](https://stackoverflow.com/questions/51422014/cors-hell-in-ionic-3), which resulted in the same error message, that's why I believe it was a CORS issue. Also, how could we explain the `GET` requests starting to work when I change the configuration from `.addMapping("/**")` to `.addMapping("/*")` within CORS configuration in Spring Boot? – Hasan Can Saral Apr 04 '19 at 20:16
  • Have you enabled network permissions for your app? – Caleb Kiage Apr 06 '19 at 13:51
  • @CalebKiage Hi, thanks for the comment! Is it possible for all other requests to succeed and only the ones to `/member/login` (`AuthenticationFilter`) fail without the network permissions? – Hasan Can Saral Apr 08 '19 at 13:50
  • You're right. That shouldn't happen. Do you have a minimal repo that demonstrates your issue? – Caleb Kiage Apr 15 '19 at 12:18

0 Answers0