App Engine Standard with Spring Boot CORS not working

0
votes

I am implementing a Spring Boot application that is hosted on a Google App Engine Standard Environment.

I have configured CORS like this, following the official guide:

@Configuration
@EnableWebSecurity
class WebSecurityConfigurer : WebSecurityConfigurerAdapter() {

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity) {
        http.csrf()
            .disable()
            .cors()
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and().authorizeRequests().antMatchers("/api/**").permitAll()
    }

    @Bean
    fun corsConfigurationSource(): CorsConfigurationSource {
        val configuration = CorsConfiguration()
        configuration.allowedOrigins = listOf("*")
        configuration.allowedMethods = listOf("GET", "POST", "OPTIONS", "PUT", "DELETE", "HEAD")
        val source = UrlBasedCorsConfigurationSource()
        source.registerCorsConfiguration("/**", configuration)
        return source
    }

executing the following cURL I receive the AllowedOrigins header as it is necessary:

curl -H "Access-Control-Request-Method: GET" -H "Origin: http://foo" -X OPTIONS "localhost:8080/api/abc/list?lang=de"

Response:

HTTP/1.1 200 
Access-Control-Allow-Origin: *

Now when I have deployed my Spring App to AppEngine, I can also cURL successfully.

HTTP/2 200 
access-control-allow-origin: https://myfrontend.com
access-control-allow-methods: GET
access-control-allow-credentials: true

Unfortunately, my Frontend Application gets blocked with a 403 

Access to fetch at 'https://mybackend.com/api/abc/list?lang=de' from origin 'https://myfrontend.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Any tips?

Thanks.

2
spring-bootgoogle-app-enginecors

2 Answers

0
votes

I think you missed the important part setting headers in cors.

Add this line

configuration.allowedHeaders = listOf("*")

0
votes

I used this code : Ref : https://blogs.ashrithgn.com/disable-cors-in-spring-boot/ I have two GAE project

  1. Python based using angular 11
  2. Spring boot based micro services std env

Imp : No other changes in app.yaml or as mentioned by spring at https://spring.io/guides/gs/rest-service-cors/ will make any difference

@Configuration public class CorsConfig {

@Bean
public FilterRegistrationBean corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(0);
    return bean;
}