Jhipster CORS enable

5
votes

I am using Jhipster to generate API.

My api is on lets call it :

https://api.staging.test.com/

and my FE app is on :

https://staging.test.com/

Here is my config for Cors enable in application-prod.yml

cors:
     allowed-origins: "https://staging.test.com/"
     allowed-methods: "*"
     allowed-headers: GET, PUT, POST, DELETE, OPTIONS
     exposed-headers: "Authorization,Link,X-Total-Count"
     allow-credentials: true
     max-age: 1800

I still get this error :

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://staging.test.com' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Is there anything more that needs to be done in Spring boot to enable CORS ?

3
javaspring-bootcorsjhipster
The cors key should be under jhipster, is it that way in your application-prod.yml?Jon Ruddell
Yes yes, i tested cors filter, he gets good info from application-prod.yml, something else is not workinguser3364181

3 Answers

9
votes

The only config needed to enable CORS in JHipster's Prod mode is to set the jhipster.cors configuration like below. One thing to note is that if your frontend is using a port, that needs to be included in the allowed-origins key.

jhipster:
    cors:
        allowed-origins: "https://staging.test.com:8080"
        allowed-methods: "*"
        allowed-headers: "*"
        exposed-headers: "Authorization,Link,X-Total-Count"
        allow-credentials: true
        max-age: 1800

This is loaded by JHipsterProperties and used in WebConfigurer.java to apply the CORS configuration.

2
votes

To enable CORS in PROD mode, comment out jhipster.cors in the base application.yml and customize as necessary.

  cors:
    allowed-origins: 'https://staging.test.com'
    allowed-methods: '*'
    allowed-headers: '*'
    exposed-headers: 'Authorization,Link,X-Total-Count,X-${jhipster.clientApp.name}-alert,X-${jhipster.clientApp.name}-error,X-${jhipster.clientApp.name}-params'
    allow-credentials: true
    max-age: 1800

If you have configured any new root path, make sure it's registered for cors in WebConfigurer.java

@Bean
public CorsFilter corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = jHipsterProperties.getCors();
    if (!CollectionUtils.isEmpty(config.getAllowedOrigins())) {
        log.debug("Registering CORS filter");
        source.registerCorsConfiguration("/newrootpath/**", config); // add this
        source.registerCorsConfiguration("/api/**", config);
        source.registerCorsConfiguration("/management/**", config);
        source.registerCorsConfiguration("/v2/api-docs", config);
        source.registerCorsConfiguration("/v3/api-docs", config);
        source.registerCorsConfiguration("/swagger-resources", config);
        source.registerCorsConfiguration("/swagger-ui/**", config);
    }
    return new CorsFilter(source);
}

If the new root path is configured using another AuthenticationManager ( a class that extends WebSecurityConfigurerAdapter) , make sure to add the filter CorsFilter there too.

1
votes

Faced the same issue. The easiest and safest way I found is to enable cors only for the specific methods you need exposed in your controller. At the method which serves your api, add @CrossOrigin("*") annotation. This works in production and there is no need to make any changes to application-prod.yml.