7

I'm building a platform using Spring with authorization via JWT. In gateway service I have custom filter (based on BasicAuthenticationFilter) for parsing token but it should be invoked only for routes marked in security config as .authenticated() so routes which can be access by anyone are added to WebSecurity.ignoring().

The problem is that adding path to WebSecurity.ignoring() also disable CORS config for it and OPTIONS request is not returning Access-Control-* headers.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            // Auth service
            .antMatchers("/auth/login", "/auth/renew")
                .permitAll()
            .antMatchers("/auth/logout", "/auth/session/**")
                .authenticated()

            // User service
            .antMatchers(HttpMethod.POST, "/user/")
                .permitAll()
            .antMatchers( "/user/confirm/**", "/user/recover", "/user/validate/**")
                .permitAll()
            .antMatchers("/user/", "/user/change/**")
                .authenticated()

            // further part of routes...

    http
            .formLogin()
                .disable()
            .logout()
                .disable();

    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    http.addFilter(new JwtAuthenticationFilter(authenticationManager(), jwtKey));

    http.csrf().disable();

    http.cors();
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            // Auth service
            .antMatchers("/auth/login", "/auth/renew")

            // User service
            .antMatchers(HttpMethod.POST, "/user/")
            .antMatchers( "/user/confirm/**", "/user/recover", "/user/validate/**")

            // further part of routes...
}

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(corsOrigins);
    configuration.setAllowedMethods(Collections.singletonList("*"));
    configuration.setAllowedHeaders(Collections.singletonList("*"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

Is there any way to bypass only specific filter for some paths?

-SOLVED-

I've solved my problem by enabling WebMvc and adding cors configuration (previous may be deleted).

@Override
public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
            .allowedOrigins("http://localhost:3000")
            .allowedMethods("*")
            .allowedHeaders("*")
            .allowCredentials(true)
            .maxAge(3600);
}
MilyGosc
  • 148
  • 2
  • 10
  • Could you use some of these [minimal examples](https://github.com/jrichardsz/spring-boot-templates) and share us a [Minimal, Complete, and Verifiable example](https://stackoverflow.com/help/mcve). Your question is interesting. – JRichardsz May 01 '19 at 13:31
  • Possible duplicate of https://stackoverflow.com/questions/35091524/spring-cors-no-access-control-allow-origin-header-is-present – dur May 01 '19 at 18:06
  • @MilyGosc: Add your "solved" part as an answer instead of the edit! – Jacob van Lingen Jan 13 '22 at 13:39
  • Adding `@EnableWebSecurity` to security config (along with corsConfigurationSource) and `@CrossOrigin` to controller helped – EmeraldTablet Feb 08 '23 at 15:58

0 Answers0