Cross-Origin Resource Sharing with Spring Security

by

I was able to do this by extending UsernamePasswordAuthenticationFilter… my code is in Groovy, hope that’s OK:

public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    static final String ORIGIN = 'Origin'

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){
        if (request.getHeader(ORIGIN)) {
            String origin = request.getHeader(ORIGIN)
            response.addHeader('Access-Control-Allow-Origin', origin)
            response.addHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
            response.addHeader('Access-Control-Allow-Credentials', 'true')
            response.addHeader('Access-Control-Allow-Headers',
                    request.getHeader('Access-Control-Request-Headers'))
        }
        if (request.method == 'OPTIONS') {
            response.writer.print('OK')
            response.writer.flush()
            return
        }
        return super.attemptAuthentication(request, response)
    }
}

The important bits above:

  • Only add CORS headers to response if CORS request detected
  • Respond to pre-flight OPTIONS request with a simple non-empty 200 response, which also contains the CORS headers.

You need to declare this bean in your Spring configuration. There are many articles showing how to do this so I won’t copy that here.

In my own implementation I use an origin domain whitelist as I am allowing CORS for internal developer access only. The above is a simplified version of what I am doing so may need tweaking but this should give you the general idea.

More Related Contents:

  1. Spring security CORS Filter
  2. Disable Spring Security for OPTIONS Http Method
  3. Filter invoke twice when register as Spring bean
  4. Spring Data Rest and Cors
  5. How to create custom methods for use in spring security expression language annotations
  6. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  7. How to disable spring security for particular url
  8. Difference between Role and GrantedAuthority in Spring Security
  9. Can Spring Security use @PreAuthorize on Spring controllers methods?
  10. How to disable ‘X-Frame-Options’ response header in Spring Security?
  11. How to enable HTTP response caching in Spring Boot
  12. “Defective token detected” error (NTLM not Kerberos) with Kerberos/Spring Security/IE/Active Directory
  13. RESTful Authentication via Spring
  14. 401 instead of 403 with Spring Boot 2
  15. How to redirect to the homepage if the user accesses the login page after being logged in?
  16. multiple authentication mechanisms in a single app using java config
  17. Spring webSecurity.ignoring() doesn’t ignore custom filter
  18. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  19. Unit testing with Spring Security
  20. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  21. Spring Security, secured and none secured access
  22. Creating multiple HTTP sections in Spring Security Java Config
  23. How to use new PasswordEncoder from Spring Security
  24. RESTful webservice : how to set headers in java to accept XMLHttpRequest allowed by Access-Control-Allow-Origin
  25. How to test spring-security-oauth2 resource server security?
  26. How do I add method based security to a Spring Boot project?
  27. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  28. Disable HTTP OPTIONS method in spring boot application
  29. Spring Boot Microservices – Spring Security – ServiceTest and ControllerTest for JUnit throwing java.lang.StackOverflowError
  30. Custom Authentication Manager with Spring Security and Java Configuration

Leave a Comment