Affects: 2.3.3.RELEASE

I've been seeing this effect since last night when I added this filter:

class SecurityFilter : HttpFilter(){
    override fun doFilter(request: HttpServletRequest, response: HttpServletResponse, chain: FilterChain) {
        if(request.method!=RequestMethod.GET.name){
            val token=request.getHeader("Auth")
            if(token!=null && token=="---SOME_VALUE---")
                super.doFilter(request, response, chain)
            return
        }
        super.doFilter(request, response, chain)
    }
}

And added it as a bean in configuration class:

@Bean
fun securityFilter(): FilterRegistrationBean<SecurityFilter>{
        val bean=FilterRegistrationBean<SecurityFilter>()
        bean.filter= SecurityFilter()
        bean.order= Ordered.LOWEST_PRECEDENCE-100
//      bean.add
        bean.addUrlPatterns("---SOME PATTERNS---")
        return bean
}

Before this I had these following CORS mappings:

@Bean
fun corsConfigurer(): WebMvcConfigurer {
    return object : WebMvcConfigurer {
        override fun addCorsMappings(registry: CorsRegistry) {
            registry.addMapping("/**")
                    .allowedMethods("GET", "POST", "PUT", "DELETE")
                    .allowedOrigins("*")
                    .allowedHeaders("*")
        }
    }
}

  1. After adding this filter I started getting responses with No 'Access-Control-Allow-Origin' header is present on the requested resource. I dug up further and tried to find some problem with the SecurityFilter but with no clue, I just refreshed it the page, and the error was gone. But after some time while testing it came up again. Digging up further I found that it's creating a pattern that when the site loads for the first time it doesn't find the Access-Control-Allow-Origin header and hence no response is fetched but after the first call it worked just fine.

  2. That's not all as I am also using spring-boot-starter-data-rest and have also configured CORS for this as well:

override fun configureRepositoryRestConfiguration(config: RepositoryRestConfiguration) {
        config.corsRegistry
                .addMapping("/**")
                .allowedMethods("GET", "POST", "PUT", "DELETE")
                .allowedOrigins("*")
                .allowedHeaders("*")
    }

While the 1st resolves after the first invocation, the RepositoryRestConfiguration still doesn't apply and may/may not work (most of the time does not) as there is some race condition (either at the server startup/initialization or during invocation).

EDIT 1st is also working randomly I test it and it breaks upon server restarts and same can be seen with the 2nd as well.

Comment From: Guneetgstar

RESOLVED: The issue was with if(request.method!=RequestMethod.GET.name) check as the request made by the browser is OPTIONS and if called, the super.doFilter(request, response, chain) won't be called and hence other filters won't be applied. The randomization was due to change in code and browser caching Header info from previous requests as I have changed the SecurityFilter many times during testing with/without the if(request.method!=RequestMethod.GET.name) condition