@CrossOrigin in SpringBoot

Question

I am testing my understanding of how CORS works. I have 2 applications run on different port. I am sending request to app A from app B. App A run on port 8080

  @Controller
    @EnableAutoConfiguration
    public class HelloController {

        @CrossOrigin(origins = "http://localhost:9000")
        @RequestMapping("/hello")
        @ResponseBody
        public String sayHello() {
            return "Hello World Developer!!!";
        }
    }

App B runs on port 8081

 @RequestMapping("/hello")
        @ResponseBody
        public String sayHello() throws IOException {


             String GET_URL = "http://localhost:8080/hello";
            URL obj = new URL(GET_URL);
            HttpURLConnection con = (HttpURLConnection) obj.openConnection();
            con.setRequestMethod("GET");
            int responseCode = con.getResponseCode();
            InputStream inputStream;
            if (200 <= responseCode && responseCode <= 299) {
                inputStream = con.getInputStream();
            } else {
                inputStream = con.getErrorStream();
            }

            BufferedReader in = new BufferedReader(
                    new InputStreamReader(
                            inputStream));

            StringBuilder response = new StringBuilder();
            String currentLine;

            while ((currentLine = in.readLine()) != null)
                response.append(currentLine);

            return response.toString();


        }

By setting @CrossOrigin(origins = "http://localhost:9000") the request should not have been succesful since the only request origin allow to app A is from port 9000. Is that correct ? But here i am getting the succesful response code 200 "Hello World Developer!!!"

You need to add some headers to your http request. These headers are "Origin", "Access-Control-Request-Method" and "Access-Control-Request-Headers". Without these headers in the request CORS will not work — Orçun Çolak, Dec 24 '19 at 05:31

score 0 · Answer 1 · answered Dec 24 '19 at 04:55

0

Can you please see what value does the Response Header "access-control-allow-origin" has for the request to App A, this should not be "*" but instead "http://localhost:9000".

answered Dec 24 '19 at 04:55

Mohammed Rahamatullah

1
3

here is response header i got ``` Content-Type →text/plain;charset=UTF-8 Content-Length →74 Date →Tue, 24 Dec 2019 05:10:01 GMT Keep-Alive →timeout=60 Connection →keep-alive ``` – kungho Dec 24 '19 at 05:10

score 0 · Answer 2 · answered Dec 24 '19 at 05:13

Assuming your Apps are running on different ports.

I added following code to check for all Headers which are being sent.

for (Entry<String, List<String>> header : con.getHeaderFields().entrySet()) {
    System.out.println(header.getKey() + "=" + header.getValue());
}

I got following response

Keep-Alive=[timeout=60]
Transfer-Encoding=[chunked]
null=[HTTP/1.1 200]
Connection=[keep-alive]
Date=[Tue, 24 Dec 2019 05:03:36 GMT]
Content-Type=[application/json]

Please try same for your case.

So there is no access-control-allow-origin avaliable in the API call. This can be treated as a standalone call and no CORS in picture.

Its same like calling http://localhost:8080/hello from browser or POSTMAN.

If you really want to test CORS, try calling same ajax API from some UI running in 8081 App.

Please inspect Headers in browser inspect to see which parameters are being pass. You will see CORS error.

can u explain more to me why there is no access-control-allow-origin avaliable in the API call. How is that different from ajax API call ? — kungho, Dec 24 '19 at 06:03

score -1 · Answer 3 · answered Dec 24 '19 at 04:04

-1

Cross-Origin Resource Sharing (CORS) is a security policy that uses HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin.

I think the below link gives you clarity.

http://zetcode.com/springboot/cors/

answered Dec 24 '19 at 04:04

Shashidhar Reddy

187
1
6

that doesn't seem answer my questions. By definition, localhost:8080 and localhost:8081 are two different origins. Therefore, the request from localhost:8081 to 8080 should not be served since the port is not 9000. Am i missing anything ? – kungho Dec 24 '19 at 04:11
I thought that link will help you in some way to get clarity on the topic . There is no exact solution for your question in that link. Sorry if its not useful! – Shashidhar Reddy Dec 25 '19 at 12:44

@CrossOrigin in SpringBoot

3 Answers3