Issue
I want to disable CORS completely in spring boot security but all what I have tried doesn't seems to work
I have tried to add custom Filters and injecting it as a bean, also I have tried to disable cors in WebSecurityConfigurerAdapter I have also tried to add the filter in configure HttpSecurity method.
these some links I have already tried:
1: CORS problems with spring boot security.
2: Spring security CORS Filter
my current Code state as such:
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final CustomUserDetailsService customUserDetailsService;
private final AuthConfigProperties authConfigProperties;
public WebSecurityConfig(@Lazy CustomUserDetailsService customUserDetailsService, AuthConfigProperties authConfigProperties) {
this.customUserDetailsService = customUserDetailsService;
this.authConfigProperties = authConfigProperties;
}
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(authConfigProperties.getBcryptRounds());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/login", "/logout", "/oauth/authorize")
.and()
.logout()
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable();
http.cors().disable();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
}
}
when I try to access the authentication server in front-end I get this error message:
Access to fetch at 'http://localhost:8089/oauth/token' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
Solution
this code do work:
import com.example.myAuthServer.service.CustomUserDetailsService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final CustomUserDetailsService customUserDetailsService;
private final AuthConfigProperties authConfigProperties;
public WebSecurityConfig(@Lazy CustomUserDetailsService customUserDetailsService, AuthConfigProperties authConfigProperties) {
this.customUserDetailsService = customUserDetailsService;
this.authConfigProperties = authConfigProperties;
}
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(authConfigProperties.getBcryptRounds());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.requestMatchers()
.antMatchers("/login", "/logout", "/oauth/authorize")
.and()
.logout()
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf()
.disable();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
}
}
but in order to get red of the error shown in the original post you just need to make the browser knows that the requested server url have the same "Allow-Control-Access-Origin" response's url.
We can do this by applying a proxy in client-side, In my case I am using react.
add a file called setupProxy.js under src directory.
then write the following code:
const proxy = require("http-proxy-middleware");
module.exports = function (app) {
app.use(proxy("/oauth/token", {target: "http://localhost:8089"})); // put your host and api
};
and use it like this:
fetch("/oauth/token", {
method: "POST",
body: qs.stringify(Auth.bodyForNewToken(username, password)),
headers: {
"Content-Type": "application/x-www-form-urlencoded",
Authorization: "Basic " + btoa("<CLIENT>:<SECRET>")
}
});
this code is just a hint, YOU NEED TO CHANGE THE NECESSARY LINES!!!.
Answered By - suliman
Answer Checked By - Katrina (JavaFixing Volunteer)