SpringBoot CORS not working? - Nineya|java/go/python

Using Athens-RC1/Boot-1.4.0

added this inner class, debugger shows the method executing

    @Profile( "development" )
    @Configuration
    static class Dev extends WebMvcConfigurerAdapter {
        @Override
        public void addCorsMappings( final CorsRegistry registry ) {
            registry.addMapping( "/**" )
                .allowedOrigins( "http://localhost:9000" );
        }
    }

but no headers

platform  % curl -vvv http://localhost:8080/health                                                                                                                    slave-vi
*   Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> GET /health HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.50.0
> Accept: */*
>
< HTTP/1.1 200
< X-Application-Context: application:xenoterracide,development
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 05 Aug 2016 01:01:17 GMT
<
* Connection #0 to host localhost left intact
{"status":"UP"}

also tried adding this to the application-xenoterracide.properties

endpoints.cors.allowed-origins=http://localhost:9000

Comment From: snicoll

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

Comment From: xenoterracide

http://stackoverflow.com/q/38779852/206466

Comment From: xenoterracide

added this inner class, debugger shows the method executing

@Profile( "development" )
@Configuration
static class Dev extends WebMvcConfigurerAdapter {
    @Override
    public void addCorsMappings( final CorsRegistry registry ) {
        registry.addMapping( "/health" )
                .allowedOrigins( "http://localhost:9000" )
                .allowedHeaders( "*" )
                .allowedMethods( "GET", "OPTIONS" );
    }

}

but no header, an options request

rpf-content-manager  % curl -vvv -H"Origin: http://localhost:9000" -XOPTIONS http://localhost:8080/health                                                             slave-vi
*   Trying ::1...
* Connected to localhost (::1) port 8080 (#0)
> OPTIONS /health HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.50.0
> Accept: */*
> Origin: http://localhost:9000
>
< HTTP/1.1 200
< X-Application-Context: application:xenoterracide,development
< Allow: GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< Content-Length: 0
< Date: Fri, 05 Aug 2016 04:51:41 GMT
<

also tried adding this to the application-xenoterracide.properties

endpoints.cors.max-age=300
endpoints.cors.allowed-origins=http://localhost:9000

you can see from the configurations that that many headers aren't supposed to be there, a max-age should be and so should an origin... seems to be falling to a default config. At the very least I would say documentation needs to be improved.

Comment From: xenoterracide

hmm... still can't get the java config working but I don't actually need that... the properties seems to be just me setting the headers wrong though.

Comment From: ceefour

@xenoterracide Did you solve the problem? I have the same issue with Spring Boot 1.4.3 (with Security enabled). Access-Control-Allow-Origin is working on all methods except OPTIONS, it's driving me crazy.

Update: I checked your StackOverflow post, unfortunately in my case adding -H 'Access-Control-Request-Method: GET' didn't change anything in the response. :( probably different issue

Comment From: jannst

Hey, I know this is an old issue but I spent 5 hrs banging my head against the wall so I wanted to share our solution.

We had the same problem with Spring 5.3.6 also having WebSecurity enabled. It seems like Spring-Security WebSecurityConfigurerAdapter also needs to have some CORS configuration. With the following snippet, we leveraged the CORS configuration provided to Spring MVC.

We have done this by adding .cors(withDefaults()) to our WebSecurity config following this documentation. https://docs.spring.io/spring-security/site/docs/5.3.6.RELEASE/reference/html5/#cors Note: We did not add a CorsConfigurationSource Bean.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // by default uses a Bean by the name of corsConfigurationSource
            .cors(withDefaults())
            ...
    }

After that our initial CORS setup which you can see below worked like a charm :)

@Configuration
@Profile("local")
public class WebMvcConfigLocal implements WebMvcConfigurer {

  @Override
  public void addCorsMappings(CorsRegistry registry) {
    registry
        .addMapping("/**")
        .allowedOrigins("*")
        .allowedMethods("*");
  }
}

Comment From: worldsayshi

Note to others: Make sure that all your filters are letting through the OPTIONS "pre flight" request.