0

I tried to make a connection between my Angular frontend and a REST Endpoint in Java / Spring (which I didn't developed and don't know so well). By GET, all works. By POST, I receive the message in the terminal

has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

and, in the Network tab from the dev instruments, an error 403 on OPTIONS method

Request Method: OPTIONS
Status Code: 403 
Remote Address: xx.xx.xx.xx:xxxx
Referrer Policy: strict-origin-when-cross-origin

So, I found this case after several searching in internet and the cause is CORS settings: usually, in this scenario, a OPTIONS call is sent before a POST; but, due to CORS, an OPTIONS call is not allowed. So, I tried to set this row on my controller

@CrossOrigin(origins = "*", methods = {RequestMethod.OPTIONS, RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT, RequestMethod.DELETE})

This time the error changed in

Multiple CORS header 'Access-Control-Allow-Origin' not allowed

But the code I added is the only similar to @CrossOrigin, I dind't found others similar.

So, my question is: which code can I search in the controller or also in other classes, which usually has the same role of the mentioned decorator?

(The app uses Spring Security; I didn't developed it and I am not so expert in Spring Security).

Edit

I have done exactly is in this discussion (is not exactly similar to mine) but, in this case, I receive this new error:

has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

What can I do?

halfer
  • 19,824
  • 17
  • 99
  • 186
Archimede
  • 699
  • 3
  • 15
  • 28
  • What `origin` header did your client send? Spring Security only returns the `origin` header value, see https://github.com/spring-projects/spring-framework/blob/610de3ae786812f332b71a7453a67afd39834a03/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java#L551 – dur Mar 24 '21 at 21:27

2 Answers2

0

In your spring boot project add the below code to your controller.

@CrossOrigin(allowedHeaders =
    {"Orgin", "X-Requested-With", "Content-Type", "Accept", "Authorization"},
    methods = {RequestMethod.POST, RequestMethod.GET, RequestMethod.PUT, 
    RequestMethod.DELETE}
 )

This will solve your cross-origin issue if your services are running on the local server/any server which has any proxies.

Akhil kumar Amarneni
  • 220
  • 2
  • 11
  • Thank but the problem ist not this! The problem is, if I do this, I receive the message "Multiple CORS header 'Access-Control-Allow-Origin' not allowed". Please, read the last part of my post, until the end. And thank you very much anycase for your helping! – Archimede Mar 23 '21 at 15:38
  • 1
    @Archimede His answer is not complete, but at least it tells you, that you have to remove `RequestMethod.OPTIONS` to get rid of the error *Multiple CORS header 'Access-Control-Allow-Origin' not allowed*. – dur Mar 23 '21 at 21:28
-1

You can add a global policy to allow access implementing WebMvcConfigurer.

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

@Override
public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
        .allowedMethods("*")
        .allowedOrigins("*")
        .allowedHeaders("*");
}

}

Yohan Nilanka Rodrigo
  • 1
  • 1
  • 1
  • 2
  • Thank but the problem ist not this! The problem is, if I do this, I receive the message "Multiple CORS header 'Access-Control-Allow-Origin' not allowed". Please, read the last part of my post, until the end. And thank you very much anycase for your helping! – Archimede Mar 23 '21 at 15:38
  • Your solution isn't working, because the dispatcher servlet is executed after the Spring Security filter chain. The preflight request never reaches the dispatcher servlet. – dur Mar 23 '21 at 21:22