Why Am I Getting a \'No \'Access-Control-Allow-Origin\' Header is Present\' Error After Adding Spring Security?

Spring Security CORS Filter: Troubleshooting "No 'Access-Control-Allow-Origin' Header is Present"

Explanation

Adding Spring Security to an existing project can trigger a "No 'Access-Control-Allow-Origin' header is present" error during Cross-Origin Resource Sharing (CORS) requests. This error occurs because the Access-Control-Allow-Origin response header is not added to requests.

Solution

Method 1:

Update your code to use Spring Security's built-in CORS support. Add the following configuration to your application:

<code class="java">@Configuration
public class WebConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
    }
}</code>

Method 2:

If you want more control over CORS configuration, use the following approach:

<code class="java">@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors();
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("*"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD",
                "GET", "POST", "PUT", "DELETE", "PATCH"));
        configuration.setAllowCredentials(true);
        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}</code>

Additional Notes:

• Avoid using http.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll(); or web.ignoring().antMatchers(HttpMethod.OPTIONS);, as they are incorrect solutions.
• Ensure that your CORS filter is positioned after SecurityContextPersistenceFilter and before LogoutFilter in the filter chain.
• Verify that the Access-Control-Allow-Methods header includes the necessary HTTP verbs: GET, PUT, POST, etc.
• If you still encounter the CORS error, check your application's logs for any additional information that could help pinpoint the issue.

The above is the detailed content of Why Am I Getting a \'No \'Access-Control-Allow-Origin\' Header is Present\' Error After Adding Spring Security?. For more information, please follow other related articles on the PHP Chinese website!