@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().cors().and().authorizeRequests()
.antMatchers("/xxxxx").permitAll().antMatchers("/yyyyyyy").permitAll();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
configuration.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "Content-Type"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Hi, This is my configuration class for CORS setting. Sometimes(80%) it works. But I don't know why sometimes it doesn't work. Seems that it's a bug. I tested on Firefox. Server package is based on Java 11, Spring boot 2 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://xxxxxxxxxxx. (Reason: CORS request did not succeed).
Comment From: wilkinsona
Thanks for the report. Unfortunately, it doesn't contain enough information for us to be able to help you. For example, you've said you're using Spring Boot 2, but haven't said specifically which version you're using. There are also lots of other things that may be related that we can't learn about from a small snippet of Spring Security configuration.
If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.
Comment From: fintechee
@wilkinsona Many thanks for your quick reply. I'm sorry for not providing enough information. Because it randomly happened.(80% it is working fine) So, I don't know how to make a sample to reproduce the error. I use spring-boot-starter-parent 2.3.2.RELEASE And when I test it on my local PC, the error doesn't occur at all(my web server's port is 8081, my Spring backend's port is 8080). But when I test it on our cloud server, the error occurs(randomly happen, the homepage's domain is www.fintechee.com, the cloud server where Spring backend deploys is www.bounty.red) I think maybe that was caused by using VPS(proxy)? Because I use proxy to access our cloud server. If you want to check it, please access https://www.fintechee.com/web-trader/ and send orders, after several times of testing, you may reproduce the error. Please ignore the errors from www.fxstreet.com(this is another REST API, not associated with this report) I have created a test credential for you: id: 835607 password: test Thanks for your help again.
Comment From: wilkinsona
Thanks for the additional information. I tried sending some orders but received an error message regarding the account type.
Given that the problem happens intermittently, I think it's unlikely that it's going to be caused by a bug in Spring Boot or Spring Security or by an application configuration error. If any of these were the cause I would expect requests to fail every time or succeed every time.
From what you've described thus far, I think it's likely that the problem relates to the proxy or the network setup in general. Perhaps the CORS-related headers are different in certain cases depending on how the request is routed to the back end? You may be able to diagnose this by debugging the back end or by using Spring Boot's HTTP tracing.
In the absence of a sample that reproduces the problem and an indication that this is a bug in Spring Boot, I'm going to close this issue. If you would like some further help in tracking down the problem, please follow up on Stack Overflow or Gitter. If this investigation identifies a bug in Spring Boot, we can re-open this issue and take another look.
Comment From: fintechee
@wilkinsona Many thanks for your help. I think so too. I will try the HTTP tracing tools to dig the reason further.