CORS issue – No ‘Access-Control-Allow-Origin’ header is present on the requested resource

by

CORS’ preflight request uses HTTP OPTIONS without credentials, see Cross-Origin Resource Sharing:

Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints:

  • Include an Access-Control-Request-Method header with as header field value the request method (even when that is a simple method).
  • If author request headers is not empty include an Access-Control-Request-Headers header with as header field value a comma-separated list of the header field names from author request headers in lexicographical order, each converted to ASCII lowercase (even when one or more are a simple header).
  • Exclude the author request headers.
  • Exclude user credentials.
  • Exclude the request entity body.

You have to allow anonymous access for HTTP OPTIONS.

Spring Security 3

Your modified (and simplified) code:

@Override
protected void configure(HttpSecurity http) throws Exception {
   http
       .authorizeRequests()
           .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
           .antMatchers("/login").permitAll()
           .anyRequest().fullyAuthenticated()
           .and()
       .httpBasic()
           .and()
       .sessionManagement()
           .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
       .csrf().disable();
}

You still need your CORS configuration (probably with some additional values):

@Configuration
@EnableWebMvc
public class CORSConfig extends WebMvcConfigurerAdapter  {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("*");
    }
}

Spring Security 4

Since Spring Security 4.2.0 you can use the built-in support, see Spring Security Reference:

19. CORS

Spring Framework provides first class support for CORS. CORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the JSESSIONID). If the request does not contain any cookies and Spring Security is first, the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.

The easiest way to ensure that CORS is handled first is to use the CorsFilter. Users can integrate the CorsFilter with Spring Security by providing a CorsConfigurationSource using the following:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http
          // by default uses a Bean by the name of corsConfigurationSource
          .cors().and()
          ...
  }

  @Bean
  CorsConfigurationSource corsConfigurationSource() {
      CorsConfiguration configuration = new CorsConfiguration();
      configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
      configuration.setAllowedMethods(Arrays.asList("GET","POST"));
      UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
      source.registerCorsConfiguration("/**", configuration);
      return source;
  }
}

More Related Contents:

  1. How to get a cross-origin resource sharing (CORS) post request working
  2. XMLHttpRequest Origin null is not allowed Access-Control-Allow-Origin for file:/// to file:/// (Serverless)
  3. What’s the point of the X-Requested-With header?
  4. How to configure CORS in a Spring Boot + Spring Security application?
  5. Access-Control-Allow-Origin error sending a jQuery Post to Google API’s
  6. IE9 jQuery AJAX with CORS returns “Access is denied”
  7. Spring security CORS Filter
  8. XMLHttpRequest cannot load an URL with jQuery
  9. CORS header ‘Access-Control-Allow-Origin’ missing
  10. How to enable CORS in flask
  11. Spring Boot Security CORS
  12. CORS jQuery AJAX request
  13. Ajax using https on an http page
  14. jQuery CORS Content-type OPTIONS
  15. Error :Request header field Content-Type is not allowed by Access-Control-Allow-Headers
  16. Disable Spring Security for OPTIONS Http Method
  17. Spring Boot CORS filter – CORS preflight channel did not succeed
  18. xmlHttp.getResponseHeader + Not working for CORS
  19. Spring MVC 415 Unsupported Media Type
  20. How do you send a custom header in a CORS preflight OPTIONS request?
  21. CORS request – why are the cookies not sent?
  22. Post Nested Object to Spring MVC controller using JSON
  23. How to return an object from a Spring MVC controller in response to AJAX request?
  24. Bottle Py: Enabling CORS for jQuery AJAX requests
  25. How can I set CORS in Azure BLOB Storage in Portal?
  26. Spring Boot with embedded Tomcat behind Apache proxy
  27. Allowing frontend JavaScript POST requests to https://accounts.spotify.com/api/token endpoint
  28. jQuery AJAX call results in error status 403
  29. Is it possible to invalidate a spring security session?
  30. disable textbox using jquery?

Leave a Comment