Spring security CORS Filter

by

Since Spring Security 4.1, this is the proper way to make Spring Security support CORS (also needed in Spring Boot 1.4/1.5):

@Configuration
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
    }
}

and:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
//        http.csrf().disable();
        http.cors();
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("*"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD",
                "GET", "POST", "PUT", "DELETE", "PATCH"));
        // setAllowCredentials(true) is important, otherwise:
        // The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
        configuration.setAllowCredentials(true);
        // setAllowedHeaders is important! Without it, OPTIONS preflight request
        // will fail with 403 Invalid CORS request
        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

Do not do any of below, which are the wrong way to attempt solving the problem:

  • http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
  • web.ignoring().antMatchers(HttpMethod.OPTIONS);

Reference: http://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/cors.html

More Related Contents:

  1. Filter invoke twice when register as Spring bean
  2. CORS allowed-origin restrictions aren’t causing the server to reject requests
  3. Disable Spring Security for OPTIONS Http Method
  4. How to disable ‘X-Frame-Options’ response header in Spring Security?
  5. How to enable HTTP response caching in Spring Boot
  6. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  7. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  8. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  9. Securing Spring Boot API with API key and secret
  10. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  11. How do I disable resolving login parameters passed as url parameters / from the url
  12. How do I add method based security to a Spring Boot project?
  13. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  14. disabling spring security in spring boot app [duplicate]
  15. Disabling a filter for only a few paths
  16. Spring Boot and multiple external configuration files
  17. How To Inject AuthenticationManager using Java Configuration in a Custom Filter
  18. Spring Boot – Handle to Hibernate SessionFactory
  19. Unable to get spring boot to automatically create database schema
  20. Change database schema used by Spring Boot
  21. Spring Boot and custom 404 error page
  22. Multipart File upload Spring Boot
  23. How to get the current logged in user object from spring security?
  24. Spring: overriding one application.property from command line
  25. Spring security’s SecurityContextHolder: session or request bound?
  26. How to set SameSite and Secure attribute to JSESSIONID cookie
  27. Spring-Boot How to properly inject javax.validation.Validator
  28. How to log all active properties of a spring boot application before the beans instantiation?
  29. How do you configure Embedded MongDB for integration testing in a Spring Boot application?
  30. Externalize query in spring boot application

Leave a Comment