Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SpringBoot 2 Migration Issue with CORS support

See original GitHub issue

Using SpringBoot 1.5.9 with this controller and configuration, CORS requests are allowed (work fine):

@CrossOrigin
@RestController
public class SampleController {
  @GetMapping(path = "mypath")
  public String something() {
      return "foobar";
  }
}

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/**").permitAll();
  }
}

However when I migrated to SpringBoot v2.0.0, with the same controller and configration I now get errors in the latest version of Chrome to the same previously working requests:

Failed to load https://gateway.mydomain.com/mypath: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://spa.mydomain.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Per this possibly dated StackOverflow answer, I’ve tried using this updated configuration, but that still does not work:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .cors()
        .and()
        .csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/**").permitAll();
  }

  @Bean
  CorsConfigurationSource corsConfigurationSource() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
    return source;
  }

}

How do we get the same CORS functionality possible out of the box with SpringBoot 1.5.9 in SpringBoot 2?

Is there a better way to resolve this without specifying the origin domain?

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
wilkinsonacommented, Mar 15, 2018

This is due to the change made in Spring Framework for SPR-16130. allowCredentials now defaults to false which affects this logic in CorsConfiguration:

		if (this.allowedOrigins.contains(ALL)) {
			if (this.allowCredentials != Boolean.TRUE) {
				return ALL;
			}
			else {
				return requestOrigin;
			}
		}

You can restore the behaviour of Spring Framework 4.3 and Spring Boot 1.5 by changing your @CrossOrigin annotation:

@CrossOrigin(allowCredentials="true")

/cc @sdeleuze

0reactions
dyunusemrecommented, May 19, 2018

@wilkinsona you saved my day thanks alot

Read more comments on GitHub >

github_iconTop Results From Across the Web

Global CORS configuration breaks when migrating to Spring ...
I'm using spring boot 2.0.2. I have the same issue, but I use the following code to fix it. Does anybody have the...
Read more >
CORS support in Spring Framework
Spring Framework 4.2 GA provides first class support for CORS out-of-the-box, giving you an easier and more powerful way to configure it than ......
Read more >
Spring Boot - CORS Support - Tutorialspoint
Spring Boot - CORS Support, Cross-Origin Resource Sharing (CORS) is a security concept that allows restricting the resources implemented in web browsers.
Read more >
CORS with Spring - Baeldung
2. Controller Method CORS Configuration ... Enabling CORS is straightforward — just add the annotation @CrossOrigin. We can implement this in ...
Read more >
Spring Boot: How to Solve Cross-domain Problems
1. Spring Boot cross-domain problems.Create a filter to solve cross-domain · 2. Cross-domain joining Cors based on WebMvcConfigurerAdapter configuration
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Ensure all properties map nicely to yaml

Next page

Upgrading to 2.0.0.RELEASE from 1.5.10.RELEASE breaks logging behavior