Issue
I have problems integrating the CORS filter into my spring boot (2.3) OAuth application. I read the posts of a lot of other people with the same problem but could not find a solution for mine. When accessing my application via Postman I do not have any issues getting the authentication key. However, when using a HTML file from my local system where I use an ajax query (using jQuery) to access the application I am getting the follwing error:
Access to XMLHttpRequest at 'my sercice' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
My code looks like this:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.CorsUtils;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import de.mtc.procon.authserver.provider.CustomAuthenticationProvider;
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
// @Bean
// public CorsFilter corsFilter() {
// return new MyCorsFilter(getMyCorsConfigurationSource());
// }
@Override
public void configure(HttpSecurity http) throws Exception {
System.out.println("---------------------- Configure authentication server -----------------------");
http.cors().and().authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll().antMatchers("/**").authenticated().and().httpBasic().and().csrf().disable().exceptionHandling()
.authenticationEntryPoint(new CustomAuthenticationEntryPoint());
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
}
@Qualifier
@Primary
@Bean
public CorsConfigurationSource corsConfigurationSource() {
System.out.println("Generating cors configuration source...");
return getMyCorsConfigurationSource();
}
private CorsConfigurationSource getMyCorsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", getMyCorsConfiguration());
return source;
}
private CorsConfiguration getMyCorsConfiguration() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
configuration.setAllowCredentials(true);
configuration.setMaxAge(Duration.ofDays(1));
configuration.setExposedHeaders(Arrays.asList("x-auth-token"));
return configuration;
}
}
Could I be using classes from wrong packages? I appreciate your help.
Solution
I found a solution to my problem.
What I was missing was the annotation
@Order(Ordered.HIGHEST_PRECEDENCE)
However, when I added it to my class WebSecurityConfiguration, I got the error
InsufficientAuthenticationException: There is no client authentication.
In the end I removed the corsConfigurationSource Bean and the cors() method from the HttpSecurity and added a CorsFilter class. To this new class I added the @Order(Ordered.HIGHEST_PRECEDENCE) annotation. Additionally, I added addFilterBefore to the HttpSecurity.
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public CorsFilter corsFilter() {
return new CorsFilter();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(corsFilter(), SessionManagementFilter.class).csrf().disable().exceptionHandling().and() .authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll().antMatchers("/**").authenticated().and().httpBasic()
.authenticationEntryPoint(new CustomAuthenticationEntryPoint());
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
}
@Order(Ordered.HIGHEST_PRECEDENCE)
private class CorsFilter implements Filter //javax.servlet.Filter
{
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) servletResponse;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "GET,POST,DELETE,PUT,OPTIONS");
response.setHeader("Access-Control-Allow-Headers", "Content-Type,Authorization");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Max-Age", "86400");
if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) servletRequest).getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
filterChain.doFilter(servletRequest, response);
}
}
@Override
public void destroy() {
}
}
}
Answered By - Felix H
Answer Checked By - Candace Johnson (JavaFixing Volunteer)