Spring security + session : Receive "Set-Cookie" header but not set in browser

spring spring-boot spring-mvc spring-security spring-session
11,394

Solution 1

Issue was in angular side ! I added an interceptor adding the withCredentials parameter and it works.

@Injectable()
export class XhrInterceptor implements HttpInterceptor {

  intercept(req: HttpRequest<any>, next: HttpHandler) {
    const xhr = req.clone({
      withCredentials: true
    });
    return next.handle(xhr);
  }
}

Solution 2

Create a CORS Filter in backend add this 

response.setHeader("Access-Control-Allow-Headers",
                "Date, Content-Type, Accept, X-Requested-With, Authorization, From, X-Auth-Token, Request-Id");
response.setHeader("Access-Control-Expose-Headers", "Set-Cookie");
response.setHeader("Access-Control-Allow-Credentials", "true");
Share:
11,394

Related videos on Youtube

BkSouX
Author by

BkSouX

Updated on June 04, 2022

Comments

  • BkSouX
    BkSouX almost 2 years

    I'm trying Spring Security & Session with an Angular front end. I get a 200 code when trying to login with that response header : 

    Set-Cookie: SESSION=NGJlYTkzODQtNTQzMy00NGIxLWEzOWYtYTc2MGNlZWY1OTJm; Path=/; HttpOnly; SameSite=Lax

    But in my next request to the server, no cookie is automatically set in the request. And by the way, I cannot see the cookie in the developer tools so I think it's not saved.

    I'm working in local for the front & back end.

    Here are some info about the back end :

    • using Spring MongoDb Session @Configuration @EnableMongoHttpSession public class SessionConfig { }

      • Classic Spring security Config

    ` @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { private final CustomAuthenticationProvider authProvider;

    public SecurityConfig(CustomAuthenticationProvider authProvider) {
    this.authProvider = authProvider;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authProvider);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .cors().and()
        .authorizeRequests()
        .anyRequest().authenticated()
        .and()
        .httpBasic(); //todo csrf
}

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Collections.singletonList("http://localhost:4200")); // todo properties by environment
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
    configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
    configuration.setAllowCredentials(true);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

    } `

    The session is well saved in the mongodb, just the id not saved in the browser. Any idea ?

    edit

    When setting observer: "response" in the httpClient parameters, I cannot see the Set-Cookie header :

    "cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"

    But in the developer tool I have :

    HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Set-Cookie: SESSION=YTEwOTNkNjAtZjI4MS00ZmM2LWExYmEtYzA5NzJhMjAyNTJh; Path=/; HttpOnly; SameSite=Lax Content-Type: application/json Transfer-Encoding: chunked Date: Mon, 01 Jul 2019 11:25:08 GMT

    • Mr code.
      Mr code. almost 5 years
      Try reading full response at angular side by passing option observe: 'response'
    • BkSouX
      BkSouX almost 5 years
      Set-Cookie is not in the array. I only have "cache-control: no-cache, no-store, max-age=0, must-revalidate,content-type: application/json,expires: 0,pragma: no-cache"
    • BkSouX
      BkSouX almost 5 years
      Got it ! Thank you @Mrcode. I had to add the withCredentials parameter in angular side.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use AuthorizationServerSecurityConfigurer?
how to achieve Ldap Authentication using spring security(spring boot)
Spring security 401 Unauthorized even with permitAll
Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
Spring Boot Security Anonymous authorization
Spring boot - return 403 Forbidden instead of redirect to login page
@WithMockUser doesn't pick Spring Security auth credentials
Null @AuthenticationPrincipal with Spring-Boot / Security
Java + Spring Boot: I am trying to add CacheControl header to ResponseEntity