Spring Security OAuth2 CORS issue for Authorization header

2
votes

I use <spring.version>4.2.0.RELEASE</spring.version>, <spring.security.version>4.0.2.RELEASE</spring.security.version>, and <spring.security.oauth2.version>2.0.9.RELEASE</spring.security.oauth2.version>.

I use @CrossOrigin to dela with CORS. For now, I want to allow all the headers and all the methods. I can use any of the other headers than Authorization without any CORS issue. But with Authorization(header to send Bearer token), I get CORS issue. I use @CrossOrigin annotatiion at Class level and allow all the headers as below - 

@CrossOrigin(allowedHeaders = {"*"})

No 'Access-Control-Allow-Origin' header is present on the requested resource

How can I allow Authorization header as well as I did all other headers and avoid CORS issues?

1
javaspring-securitycorsauthorizationspring-oauth2

1 Answers

1
votes

You can add the following to any configuration file:

@Bean
public CorsFilter corsFilter() {
    final UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration corsConfiguration = new CorsConfiguration();
    corsConfiguration.setAllowCredentials(true);
    corsConfiguration.addAllowedOrigin("*");
    corsConfiguration.addAllowedHeader("*");
    corsConfiguration.addAllowedMethod("*");
    urlBasedCorsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
    return new CorsFilter(urlBasedCorsConfigurationSource);
}

EDIT For XML configuration, you could create a custom filter and add it to your filter chain:

public class CorsFilter implements Filter {

  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "*");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "*");
    chain.doFilter(req, res);
  }

  public void init(FilterConfig filterConfig) {}

  public void destroy() {}

}

XML config

<security:filter-chain-map>
    <sec:filter-chain pattern="/**"
        filters="
        ConcurrentSessionFilterAdmin, 
        securityContextPersistenceFilter, 
        logoutFilterAdmin, 
        usernamePasswordAuthenticationFilterAdmin, 
        basicAuthenticationFilterAdmin, 
        requestCacheAwareFilter, 
        securityContextHolderAwareRequestFilter, 
        anonymousAuthenticationFilter, 
        sessionManagementFilterAdmin, 
        exceptionTranslationFilter, 
        filterSecurityInterceptorAdmin,
        CorsFilter"/>
</security:filter-chain-map>