0

I have the following CORS configuration on my spring gateway:

@Configuration
@EnableWebFluxSecurity
public class GatewayConfig {

    @Bean
    public CorsWebFilter corsWebFilter() {

        final CorsConfiguration corsConfig = new CorsConfiguration();
        corsConfig.setAllowedOrigins(Collections.singletonList("*"));
        corsConfig.setMaxAge(3600L);
        corsConfig.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE"));
        corsConfig.addAllowedHeader("*");

        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", corsConfig);

        return new CorsWebFilter(source);
    }

}

It works perfectly fine with the GET, PUT and DELETE requests, but any POST request returns:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <service-url>. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 302

Update:

Actually, for some reason it only blocks POST request on one route only.

This is the security configuration:

protected void configure(HttpSecurity http) throws Exception {
    // Validate tokens through configured OpenID Provider
    http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(jwtAuthenticationConverter());
    // Service security setup
    http
        .authorizeRequests()
        .antMatchers(HttpMethod.POST, "/polls").hasRole("ADMIN")
        .antMatchers(HttpMethod.PUT, "/polls/*").hasRole("ADMIN")
        .antMatchers(HttpMethod.DELETE, "/polls/*").hasRole("ADMIN")
        .antMatchers(HttpMethod.POST, "/polls/{author:[\\s\\S]+}/vote").authenticated()
        .antMatchers(HttpMethod.POST, "/polls/*").hasRole("ADMIN")
        .anyRequest().permitAll();
}

CORS only blocks POST requests on the "/polls" route, while every other request works fine

Sepfins
  • 312
  • 1
  • 9
  • 1
    if you want to use cors you need to enable it by calling `cors()` in your config, and you might also want to disable `csrf().disable()` downvoted. Missing debug logs or a working example. – Toerktumlare Mar 19 '22 at 18:45
  • 1
    @Toerktumlare, wooow, thanks! But "It works perfectly fine with the GET, PUT and DELETE requests" kinda implies that it's already enabled and works as expected on all routes except one! Cringe – Sepfins Mar 19 '22 at 19:02
  • `kinda implies that it's already enabled` no it does not since you have not posted any debug logs that back that claim, or a running reproducible example that i can run and verify. – Toerktumlare Mar 19 '22 at 20:48
  • 2
    Hi Sepfins. Not all requests trigger a pre-flight request. It is totally upto browser to decide if a particular request is complex enough to trigger a pre-flight (OPTIONS) request. – Gaurav Mar 20 '22 at 11:52
  • 1
    Does this answer your question? [CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource](https://stackoverflow.com/questions/42016126/cors-issue-no-access-control-allow-origin-header-is-present-on-the-requested) – dur Mar 21 '22 at 10:23
  • @dub, not really, since the header is absent only on one route and only with POST method. If I make the copy of the "/polls" route on, for example, "/polls/new", the header gets attached correctly, even though both the request and the CORS settings remain exactly the same. So I guess I'll use modified routes as a workaround. – Sepfins Mar 21 '22 at 12:57

0 Answers0