Spring Boot, Cors and Spring Security

Question

I am using Spring Boot version 2.0.8.RELEASE and the spring-boot-start-security module. I am trying to protect my swagger endpoints with basic authentication and so far everything is going good. However, requests from javascript in my code have started failing with the following error

Access to XMLHttpRequest at 'http://my-service.com.com/search/api/getQuery' from origin 'http://myui.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I have the following configuration class defined

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        //See https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-cors-global-java for configuring cors
        registry.addMapping("/**").allowedOrigins("*").allowedMethods("*").allowedHeaders("*");
    }

}

I have the @CrossOrigin annotation on my API Class. And I have the following class to configure my security

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http.cors()
             .and()
             .csrf().disable()
                .authorizeRequests()
                    .antMatchers("/v2").authenticated()
                    .antMatchers("/swagger-resources").authenticated()
                    .antMatchers("/swagger-ui.html").authenticated()                    
                    .and()
                    .httpBasic()
                    .and()
                    .authorizeRequests()    
                        .antMatchers("/**").permitAll()
                        .and();        

    }

    }

I tried creating a CorsConfiguration in the security class and removing the @CrossOrigin annotation but that didnt work either. Any idea what I need to do in order to get cors working correctly on Spring Boot 2.0.8.RELEASE?

Thanks Damien

Answer 1

In my experience the Spring Annotations never successfully resolve the CORS issue. The solution that I have preferred is routing both servers (in my case Node and Tomcat) through a virtual host.

In my Apache httpd-vhosts config file, I have the following setup.

    ProxyRequests Off
    ProxyPreserveHost Off
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location /FrontEndServer>
        ProxyPass        http://localhost:8080/FrontEndServer connectiontimeout=333 timeout=999
        ProxyPassReverse http://localhost:8080/FrontEndServer
    </Location>

    <Location />
        ProxyPass        http://localhost:3000/ connectiontimeout=333 timeout=999
        ProxyPassReverse http://localhost:3000/
    </Location>

In this setup, my two servers are running on different ports, but Apache is rerouting them so that they can share my localhost and be differentiated simply by "/" or "/FrontEndServer".

Obviously this is specific to Apache, and that may not be the setup you are using. You should however be able to use these principles to find a solution for your specific situation. Hope this helps.