Spring Security Issue with HttpSecurity.logout() for frontend

We are not able to get CORS headers from CROSFIlter in logout request which restrict browsers to read the response.

Error on browser

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at {{URL}}. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

Headers for request:

HTTP/2 200 OK
server: nginx
date: Tue, 28 Jun 2022 18:50:06 GMT
content-length: 0
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: DENY
SameSite=None
cache-control: no-cache

Solution Implemented

.logoutSuccessHandler(
        (httpServletRequest, httpServletResponse, authentication) -> {
            httpServletResponse.setStatus(HttpServletResponse.SC_OK);
            System.out.println(httpServletRequest.getHeaderNames());
            httpServletResponse.setHeader("Access-Control-Allow-Origin" , "testing");
        })

StackOverflow: https://stackoverflow.com/questions/34154711/spring-security-logout-doesnt-work-with-spring-4-cors

using spring boot version 2.6.0

Comment From: sjohnr

@KJS1124, thanks for reaching out!

Have you tried using http.cors() in the Spring Security DSL in addition to providing a CorsFilter or CorsConfigurationSource @Bean? Otherwise, can you provide a minimal sample that demonstrates this issue?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.