3

I had wasted lot's of time fixing this issue, but none of the existing solutions work in my case. Let me explain you the server set up I have. I have 2 docker containers, one for angular app (nginx - url - http://localhost:8080) and spring boot application (tomcat - url - http://localhost:8081). This app is using Oauth2 jdbcToken authentication for API request.

This app is a simple user registration app.

I could register a new user since the register url is not secured and not passing any Authorization header. But once when user logs in the CORS issue kick in. below I have listed the errors.

Access to XMLHttpRequest at 'http://localhost:8081/v1/api/group/find/shib' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Let me tell you what I had done to resolve this. In angular HTTP request I have added the following headers.

'Authorization' : 'Bearer '+this.token(),
'Access-Control-Allow-Methods' : '*',
'Access-Control-Allow-Origin' : "*",
'Access-Control-Allow-Headers' : 'Content-Type, Accept, X-Requested-With, remember-me, Authorization',
"Access-Control-Expose-Headers" : "Content-Type, Accept, X-Requested-With, remember-me, Authorization"

In spring boot I added @CrossOrigin / @CrossOrigin("http:localhost:8080") on Rest controllers added with a CORSFilter

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {


    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Credentials", "true");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me, Authorization");
    chain.doFilter(req, res);
}

After all the trial and error, I am still getting the same error

georgeawg
  • 48,608
  • 13
  • 72
  • 95
John
  • 666
  • 1
  • 9
  • 22
  • 1
    What’s the HTTP status code of the response? You can use the Network pane in browser devtools to check. – sideshowbarker Feb 18 '20 at 07:07
  • headers: HttpHeaders {normalizedNames: Map(0), lazyUpdate: null, headers: Map(0)} status: 0 statusText: "Unknown Error" url: "http://localhost:8081/v1/api/group/find/shib" ok: false name: "HttpErrorResponse" message: "Http failure response for http://localhost:8081/v1/api/group/find/shib: 0 Unknown Error" error: ProgressEvent {isTrusted: true, lengthComputable: false, loaded: 0, total: 0, type: "error", …} __proto__: HttpResponseBase – John Feb 18 '20 at 07:11
  • @sideshowbarker No HTTP status code is coming – John Feb 18 '20 at 07:14
  • See the answers at https://stackoverflow.com/a/42021652/441757 and https://stackoverflow.com/a/43559441/441757 and https://stackoverflow.com/a/42208796/441757 – sideshowbarker Feb 18 '20 at 07:32
  • No luck with it. I have tried it – John Feb 18 '20 at 09:23
  • @JohnThomas As sideshowbarker already wrote, you have to show request and response with headers. For example a screenshot of your dev tool in your browser (F12). Also show your Spring Security configuration. – dur Feb 18 '20 at 12:07

1 Answers1

0

I read and understood much more on preflight requests and the way it work. A quick thought i had was to let OPTIONS request to go through so i had added the following code to my WebSecurityConfigurerAdapter.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers(HttpMethod.OPTIONS,"*").permitAll()//allow CORS option calls
    .antMatchers("/oauth/token").permitAll()
    .anyRequest().authenticated()
    .and()
    .formLogin()
    .and()
    .httpBasic();
}

And no extra headers from Angular ui except Authorization.

I hope this works for everyone. I know now that OPTIONS are vulnerable, but this was just a quick workarount. Please suggest me if you have a better, safer solution.

georgeawg
  • 48,608
  • 13
  • 72
  • 95
John
  • 666
  • 1
  • 9
  • 22
  • When an `AUTHORIZATION` header is added to a request, the browser will automatically do a pre-flight OPTIONS request. The server must respond with proper CORS headers. Otherwise the browser will block access to the response. An OK status response from an OPTIONS request is mandatory. – georgeawg Feb 18 '20 at 18:33