Spring Oauth2 CORS issue

1
votes

I set CORS to allow few custom headers. Below is the Response Header -

Response Headers { "Date": "Mon, 14 Mar 2016 10:11:59 GMT",
"Server": "Apache-Coyote/1.1", "Transfer-Encoding": "chunked",
"Access-Control-Max-Age": "3600", "Access-Control-Allow-Methods": "POST, GET, OPTIONS, DELETE, PUT", "Content-Type": "application/json", "Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Credentials": "true",
"Access-Control-Allow-Headers": "X-Requested-With, Authorization, Content-Type, Authorization_Code, User_Credentials, Client_Credentials" }

Above response header should mean that API can be consumed from all the origins with following headers: Authorization, Content-Type, Authorization_Code, User_Credentials, Client_Credentials

I can pass all headers and consume APIs from all origins.

PROBLEM -

Requests with Authorization APIs are not being allowed. Authorization is a header with which Oauth token is passed like this - Authorizatio = Bearer ct45tg4g3rf3rfr5freg34gerfgr3gf (Bearer token).

corsclient.js:609 OPTIONS http://54.200.113.97:8080/supafit-api/users sendRequest @ corsclient.js:609(anonymous function) @ corsclient.js:647b.event.dispatch @ jquery-1.9.1.min.js:3v.handle @ jquery-1.9.1.min.js:3 /client#?client_method=GET&client_credentials=false&client_headers=Authoriz…nable=true&server_status=200&server_credentials=false&server_tabs=remote:1 XMLHttpRequest cannot load http://54.200.113.97:8080/supafit-api/users. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://client.cors-api.appspot.com' is therefore not allowed access. The response had HTTP status code 401.

EDIT:

Here is the Rest Client test of that API -

Response Header -

Server: Apache-Coyote/1.1 
Cache-Control: no-cache, no-store, max-age=0, must-revalidate 
Pragma: no-cache 
Expires: 0
X-XSS-Protection: 1; mode=block 
X-Frame-Options: DENY
X-Content-Type-Options: nosniff 
Access-Control-Allow-Origin: http://client.cors-api.appspot.com 
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT 
Access-Control-Max-Age: 3600
Access-Control-Allow-Credentials: true 
Access-Control-Allow-Headers: X-Requested-With 
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Headers: Authorization_Code
Access-Control-Allow-Headers: User_Credentials
Access-Control-Allow-Headers: Client_Credentials 
Content-Type: application/json 
Transfer-Encoding: chunked 
Date: Mon, 14 Mar 2016 11:19:42 GMT Raw JSON

JSON Response Body -

{ "id":78, "userId":"3465434567", "coachId":null,
"name":"XDCDSC", "dob":null, "email":"[email protected]", "imageURL":"https://lh5.googleusercontent.com/-TcTQeitAvag/AAAAAAAAAAI/AAA/4pamurzO1a4/photo.jpg", "gender":null, "userPhysic":null, "userTypeId":1,
"dietitanId":null, "alternateEmailId":null,
"yearsOfExperience":null, "lastExperience":null,
"languagesKnown":null, "aboutYourself":null,
"coreCompetence":null, "fieldOfWork":null, "userAddresses":[
{
"id":1, "userId":78, "locationId":1, "address":"EC", "landmark":"Near BN", "phoneNumber":null, "addressType":"Home" } ], "phoneNumbers":[

] }

1
javaspring-mvcoauth-2.0corsspring-security-oauth2
I use this site - www.test-cors.org/ to test CORS request and do not have response. It only tells that the CORS is not allowed. When I test the API from Rest Client, I get 'Authorization' as allowed header, but still CORS issue. Please see the 2nd paragraph of my question above to find the Response Heder. Thanks!Puneet Pandey

1 Answers

1
votes

The response had HTTP status code 401.

Your server needs authentification for the Preflight Request, but the client removes credentials as CORS specification says:

Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints:

Include an Access-Control-Request-Method header with as header field value the request method (even when that is a simple method).

If author request headers is not empty include an Access-Control-Request-Headers header with as header field value a comma-separated list of the header field names from author request headers in lexicographical order, each converted to ASCII lowercase (even when one or more are a simple header).

  • Exclude the author request headers.

  • Exclude user credentials.

  • Exclude the request entity body.

You have to change your server, to allow anonymous access of Preflight Request.