Origin header value not allowed. Even though URL is allowed

Question

I've looked at other questions on the site similar to this and despite doing those resolutions, my issue remains the same.

Side note, I also tried setHeader(clientOrigin)

I am using Spring Boot v1.2.7.RELEASE and The Spring Console is what is telling me that Origin Header Value not allowed. My client returns with a 403 forbidden.

CorsFilter

package app.config;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component
public class CorsFilter implements Filter {

    private final Logger log = LoggerFactory.getLogger(CorsFilter.class);

    public CorsFilter() {
        log.info("SimpleCORSFilter init");
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        String clientOrigin = request.getHeader("origin");
        response.addHeader("Access-Control-Allow-Origin", clientOrigin);
        response.setHeader("Access-Control-Allow-Methods", "POST, GET,  DELETE, PUT");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Accept, Content-Type, Origin, Authorization, X-Auth-Token");
        response.addHeader("Access-Control-Expose-Headers", "X-Auth-Token");

        if (request.getMethod().equals("OPTIONS")) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(request, response);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }

}

Request Header

Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Cookie:JSESSIONID=BDD1655C91FD8DD73A8A0B021BFFC0E7
Host:192.168.1.66:8080
Origin:http://192.168.1.66:8105
Referer:http://192.168.1.66:8105/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Response Headers

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Accept, Content-Type, Origin, Authorization, X-Auth-Token
Access-Control-Allow-Methods:POST, GET,  DELETE, PUT
Access-Control-Allow-Origin:http://192.168.1.66:8105
Access-Control-Expose-Headers:X-Auth-Token
Access-Control-Max-Age:3600
Cache-Control:no-store, no-cache, must-revalidate, max-age=0
Content-Length:0
Date:Sat, 28 Nov 2015 23:49:56 GMT
Server:Apache-Coyote/1.1

The call I am trying to make is a SocketJS call and its a get call. The following script is being called.

var socket = new SockJS($scope.siteUrl+'/connect?TOKEN='+$localstorage.get('X-AUTH-TOKEN-TRIVIA'));
    $scope.stompClient = Stomp.over(socket);
    $scope.stompClient.connect({"Authorization":"TOKEN" }, function(frame) {
        console.log('Connected: ' + frame);
        stompClient.subscribe($scope.siteUrl+'/socketupdate', function(greeting){
            $scope.activegame = JSON.parse(greeting.body).content;
        });
    });

As you can see, I am passing the token as a query string because for some strange reason SocketJS does not allow me to pass the X-AUTH-TOKEN via header.

My client server is however on a different port. I am building an app utilizing ionic which is a angular based framework.

I notice that the error comes from my WebSocketService

2015-11-29 03:22:32.417  WARN 33932 --- [nio-8080-exec-1] o.s.w.s.s.t.h.DefaultSockJsService       : Origin header value 'http://192.168.1.66:8105' not allowed.

would this mean I have to set something in the WebSocketConfig that will accept this??

Answer 1

in your WebsocketConfig.java

@Override
public void registerStompEndpoints(StompEndpointRegistry stompEndpointRegistry) {
    stompEndpointRegistry.addEndpoint("/ws").setAllowedOrigins("*").withSockJS();
}

notice:

.setAllowedOrigins("*")

Answer 2

Something I just found and I thought it might help someone. Your url must NOT have a "/" at the end.

@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
    registry.addEndpoint("/chat")
            .setAllowedOrigins("https://somewebsite.com/")
            .withSockJS();
}

Doesn't work.

@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
    registry.addEndpoint("/chat")
            .setAllowedOrigins("https://somewebsite.com")
            .withSockJS();
}

Works.

Answer 3

It's .setAllowedOriginPatterns("*") instead of .setAllowedOrigins("*") in Spring 5+ versions.. (I don't know when it was changed)