I need some help with my spring security 4.2 CORS configuration.
When calling the spring security login page http://localhost:8080/login, the CORS Headers are not getting set on the preflight requests.
When calling a different URL, the CORS headers are getting set correctly.
Browser Console Error Message:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Chrome:
Spring Security 4.2
<!-- Main security configuration -->
<security:http entry-point-ref="mainEntryPoint">
<security:cors configuration-source-ref="corsSource"/>
<!-- Handle CORS (preflight OPTIONS requests must be anonymous) -->
<security:intercept-url method="OPTIONS" pattern="/**" access="isAnonymous()"/>
<security:intercept-url pattern="/main/**" access="hasRole('USER')"/>
<security:intercept-url pattern="/**" access="denyAll"/>
<security:custom-filter position="LOGOUT_FILTER" ref="mainLogoutFilter"/>
<security:csrf disabled="true"/>
</security:http>
(...)
<bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
<property name="corsConfigurations">
<map>
<entry key="/**">
<bean class="org.springframework.web.cors.CorsConfiguration">
<property name="allowCredentials" value="true"/>
<property name="allowedHeaders" value="*"/>
<property name="allowedMethods" value="*"/>
<property name="allowedOrigins" value="http://localhost:4200"/>
<property name="maxAge" value="86400"/>
</bean>
</entry>
</map>
</property>
</bean>
