Can you completely disable CORS support in Spring?
98,219
Solution 1
For newer versions of spring boot:
@Configuration
public class WebConfiguration implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**").allowedMethods("*");
}
}
The Kotlin way
@Configuration
class WebConfiguration : WebMvcConfigurer {
override fun addCorsMappings(registry: CorsRegistry) {
registry.addMapping("/**").allowedMethods("*")
}
}
Solution 2
From their documentation:
If you are using Spring Web MVC
@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
}
}
If you are using Spring Boot:
@Configuration
public class MyConfiguration {
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
}
};
}
}
Yuriy Yunikov answer is correct as well. But I don't like the "custom" filter.
In case you have Spring Web Security which causes you trouble. Check this SO Answer.
Solution 3
Try to add a following filter (you can customize it for you own needs and methods supported):
@Component
public class CorsFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
final FilterChain filterChain) throws ServletException, IOException {
response.addHeader("Access-Control-Allow-Origin", "*");
response.addHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, PATCH, HEAD");
response.addHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
response.addHeader("Access-Control-Expose-Headers", "Access-Control-Allow-Origin, Access-Control-Allow-Credentials");
response.addHeader("Access-Control-Allow-Credentials", "true");
response.addIntHeader("Access-Control-Max-Age", 10);
filterChain.doFilter(request, response);
}
}
Solution 4
I use Spring Security in my Spring Boot application and enable access from specific domains (or from all domains).
My WebSecurityConfig:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
// ...
@Override
protected void configure(HttpSecurity http) throws Exception {
// add http.cors()
http.cors().and().csrf().disable().authorizeRequests()
.antMatchers("/get/**").permitAll()
.antMatchers("/update/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.httpBasic(); // Authenticate users with HTTP basic authentication
// REST is stateless
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
// To enable CORS
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(ImmutableList.of("https://www.yourdomain.com")); // www - obligatory
// configuration.setAllowedOrigins(ImmutableList.of("*")); //set access from all domains
configuration.setAllowedMethods(ImmutableList.of("GET", "POST", "PUT", "DELETE"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Sometimes is needed to clear browser history before testing.
Detailed information may be seen here: http://appsdeveloperblog.com/crossorigin-restful-web-service/
Just for those who use Angular. From Angular I run requests to backend:
export class HttpService {
username = '..';
password = '..';
host = environment.api;
uriUpdateTank = '/update/tank';
headers: HttpHeaders = new HttpHeaders({
'Content-Type': 'application/json',
Authorization: 'Basic ' + btoa(this.username + ':' + this.password)
});
constructor(private http: HttpClient) {
}
onInsertTank(tank: Tank) {
return this.http.put(this.host + this.uriUpdateTank, tank, {
headers: this.headers
})
.pipe(
catchError(this.handleError)
);
}
...
}
Old version. In my Spring Boot application no other ways worked then this:
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class RequestFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, x-auth-token");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Credentials", "true");
if (!(request.getMethod().equalsIgnoreCase("OPTIONS"))) {
try {
chain.doFilter(req, res);
} catch (Exception ex) {
ex.printStackTrace();
}
} else {
System.out.println("Pre-flight");
response.setHeader("Access-Control-Allowed-Methods", "POST, GET, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "authorization, content-type,x-auth-token, " +
"access-control-request-headers, access-control-request-method, accept, origin, authorization, x-requested-with");
response.setStatus(HttpServletResponse.SC_OK);
}
}
public void init(FilterConfig filterConfig) {
}
public void destroy() {
}
}
Solution 5
Try this one if you have at least Java 8:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues());
}
}
Author by
baynezy
Updated on November 19, 2021Comments
-
baynezy over 2 years
As described in CORS preflight request fails due to a standard header if you send requests to
OPTIONSendpoints with theOriginandAccess-Control-Request-Methodheaders set then they get intercepted by the Spring framework, and your method does not get executed. The accepted solution is the use@CrossOriginannotations to stop Spring returning a403. However, I am generating my API code with Swagger Codegen and so I just want to disable this and implement myOPTIONSresponses manually.So can you disable the CORS interception in Spring?
-
timomeinen over 5 yearsThis configuration enables CORS for all origins and all endpoints, sending "Access-Control-Allow-Origin: *", which is the opposite of disabling it. -
Antiokhos about 4 yearshttp.cors().and().csrf().disable() this one worked like charm...cheers -
lukas84 almost 4 yearsAll other "modern" methods had failed, but this "old version" method did the trick! Thank you so much!
-
Kirill Ch almost 4 years@lukas84 glad for you :) -
Mathias Mamsch almost 4 yearsThis post is underrated! I could not get CORS Working in spring-boot-starter-web for whatever reason ... This post solved it!
-
yannh over 3 yearssame here, spent hours on this and this solved the problem! -
Scott over 3 yearsAs of Spring 5.0, WebMvcConfigurerAdapter is deprecated and WebMvcConfigurer used instead.
-
Abhishek Kumar about 3 yearsSame here, this is crisp and to the point.
-
Uditha almost 3 years@KirillCh old is gold. that's the only method that worked for me. Thank you!
-
Dan over 2 yearsAgreed. I was using all of the spring docs, and it was this that made it work for me.
-
Danylo Zatorsky about 2 yearsThe most concise and elegant way to disable CORS I could find so far. Thanks!
-
dGayand about 2 yearsThe best answer out of all, thanks a lot it works nicely
-
Jonathan R about 2 yearsdid not work spring 2.6.7 java 18
-
Jonathan R about 2 yearsdid not work. java spring 2.6.7 java 18
