spring CORS and angular not working : HTTP status code 403 error
Solution 1
Try this configuration. It should work fine for you.
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
Since you are using spring security / authentication. You should use setAllowCredentials(true).
Solution 2
I was stuck with this problem for 2 days and by adding @CrossOrigin("*")
in controller
solved my problem.
note: you can put your origin address
instead of *
Solution 3
Use
@CrossOrigin("http://your-foreign-site/")
@RequestMapping("/token")
instead.
Tsetiz Bista
Updated on July 09, 2022Comments
-
Tsetiz Bista almost 2 years
I am new to angular and spring-security.I am having problem with CORS when trying to log in from angular login-form page using basic authentication to the rest endpoint. My Angular code is running on http://localhost:4200 and rest end point on http://localhost:8181. My angular login-form tries to make request to http://localhost:8181/token which I have specified in my login controller. Even though I have added cors configuration in server side, I get this error :-
Failed to load http://localhost:8181/token: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 403.
(angular) login.service.ts:-
@Injectable() export class LoginService { constructor(private http: Http) {} sendCredential(username: string, password: string) { const url = 'http://localhost:8181/token'; const encodedCredential = username + ':' + password; const basicHeader = 'Basic ' + btoa(encodedCredential); const headers = new Headers(); headers.append('Content-Type', 'application/x-wwww-form-urlencoded'); headers.append('Authorization' , basicHeader); const opts = new RequestOptions({headers: headers}); return this.http.get(url, opts); }
}
(spring) SecurityConfig.java
@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { private static final String[] PUBLIC_MATCHERS = { "/css/**", "/js/**", "/image/**", "/book/**", "/user/**" }; @Override protected void configure(HttpSecurity http) throws Exception{ http .cors().and() .csrf().disable() .httpBasic() .and() .authorizeRequests() .antMatchers(PUBLIC_MATCHERS) .permitAll() .anyRequest() .authenticated(); } @Bean CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList("*")); configuration.setAllowedMethods(Arrays.asList("GET","POST","DELETE","PUT","OPTIONS")); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userSecurityService).passwordEncoder(passwordEncoder()); }
LoginController.java
@RestController public class LoginController { @Autowired private UserService userService; @RequestMapping("/token") public Map<String, String> token(HttpSession session, HttpServletRequest request) { String remoteHost = request.getRemoteHost(); int portNumber = request.getRemotePort(); String remoteAddr = request.getRemoteAddr(); System.out.println(remoteHost + ":" + portNumber); System.out.println(remoteAddr); return Collections.singletonMap("token", session.getId()); } }
-
Zooly over 6 yearsCORS seems to be deactivated (spring.io/understanding/CORS)
-
Tsetiz Bista over 6 yearsI have added CORS configuration in SecurityConfig class as shown above in code block
-
Nitishkumar Singh over 6 yearsproblem is with your authentication mechanism, somehow it's not able to authenticate user. So it returns 403 status
-
Tsetiz Bista over 6 yearswhen i use traditional approach where the class implement Filter interface and perform filterChain.doFilter for every request/response for cors handling instead of spring CorConfigurationSource it works fine.
-
-
Tsetiz Bista over 6 yearsBut I want to add cors configuration in global level. Not in the controller.
-
ancm over 4 yearsNo matter what I do I'm getting 403. I am using KeycloakWebSecurityConfigurerAdapter with your code, I've tried a bunch of similar code.
-
vsoni over 4 years@ancm - it is very difficult to understand the exact problem without looking at the stack trace. Perhaps stackoverflow.com/questions/42153070/… or stackoverflow.com/questions/53493809/… or stackoverflow.com/questions/45051923/… might be helpful for you.