Enabling CORS in spring security label

0
votes

How can i enable a CORS in Spring Security label i.e. in token url. I am using spring security 3.1 and spring mvc 4.3.12. I have successfully generated a token to secure API but can't enable CORS in token url. I have used the following code for generating access token

spring-security.xml

<http pattern="/oauth/token" create-session="stateless"  
          authentication-manager-ref="clientAuthenticationManager"  
          xmlns="http://www.springframework.org/schema/security">  
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />  
        <anonymous enabled="false" />  
        <http-basic entry-point-ref="clientAuthenticationEntryPoint" />  
        <!-- include this only if you need to authenticate clients via request   
        parameters -->  
        <custom-filter ref="clientCredentialsTokenEndpointFilter"  
                       after="BASIC_AUTH_FILTER" />  
        <access-denied-handler ref="oauthAccessDeniedHandler" />  
    </http>

And this is how i have enabled a CORS but doesn't work

dispatcher-servlet.xml

<mvc:cors>
        <mvc:mapping path="/oauth/token" allowed-origins="http://localhost:4200"
                     allowed-methods="GET" allowed-headers="Access-Control-Allow-Origin" />
    </mvc:cors>

And this is the error that i got

login:1 Failed to load http://localhost:8080/M.S.-Handloom-Fabrics/oauth/token?grant_type=password&client_id=restapp&client_secret=restapp&username=nishan&password=nishan: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. The response had HTTP status code 400.

1
javaspringspring-mvcspring-securitytoken

1 Answers

0
votes

For this error you have to create new class like below. private String corsFilter="*"; When you provide * it will allow everything. Hope it will help you out.

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsFilter implements Filter {

    private String corsFilter="*";

    public CorsFilter() {
    }

    @Override
    public void doFilter(final ServletRequest req, final ServletResponse res,
            final FilterChain chain) throws IOException, ServletException {

        final HttpServletResponse response = (HttpServletResponse) res;
        final HttpServletRequest request = (HttpServletRequest) req;
        response.setHeader("Access-Control-Allow-Origin", corsFilter);
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Allow-Methods",
                "POST,  GET, PUT, OPTIONS, PATCH ,DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", " Content-Type, Authorization");

        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(req, res);
        }
    }

    @Override
    public void init(final FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}