Hello you all,
I am having the following error when sending requests from my front-end to my back-end:
Access to XMLHttpRequest at 'http://localhost:8080/users/login' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
This started after I updated the spring boot version from 2.1.8.RELEASE to 2.2.10.RELEASE
WebMvcConfigurer
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry
.addMapping("/**")
.allowedMethods("OPTIONS", "HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
}
//other things ...
}
WebSecurityConfigurerAdapter
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().xssProtection();
http.csrf().disable();
}
}
If I downgrade to version 2.1.8.RELEASE everything works fine.
If I add the cors configuration source in WebSecurity like mentioned in this page https://docs.spring.io/spring-security/site/docs/5.2.6.RELEASE/reference/htmlsingle/#cors it works in version 2.2.10.RELEASE. But it says in the same page that:
// if Spring MVC is on classpath and no CorsConfigurationSource is provided,
// Spring Security will use CORS configuration provided to Spring MVC
So, I don't understand why it stopped to work since there is nothing in release notes about this issue.
Comment From: wilkinsona
Spring Boot 2.2.x has reached the end of its OSS support period. Can you please try upgrading to 2.3.x or 2.4.x and let us know if the problem still occurs? If it does, and you would like us to spend some time investigating the cause, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.
Comment From: rafael-andrade
Hi @wilkinsona , thanks for the feedback.
I will create a project to reproduce the problem and I will send it here. To be honest, this problem won't cause a major issue for us (as far as I know) because all endpoints are called via api-gateway. But we are having problems when testing it locally. As I did not found any explanation for the problem, I tried to ask it here.
Tomorrow I will try to upload the project here with the problem that I am facing.
If I change my WebSecurityConfigureAdapter to:
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().xssProtection();
http
.cors().configurationSource(corsConfigurationSource())
.and()
.csrf().disable();
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.addAllowedOrigin("*");
configuration.addAllowedHeader("*");
configuration.addAllowedMethod("*");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Everything works fine, but I am not supposed to change the backend. So, because of that I am looking for the root cause. The team updated the back-end and I am afraid that it could lead to some other problem.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.