Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS failure with OAuth authentication in Spring server

I have a CORS problem when I try to authenticate to my spring server calling the "oauth/token" endpoint. The server answers with a 401 response

 XMLHttpRequest cannot load http://localhost:8080/oauth/token.
 Response to preflight request doesn't pass access control check: 
 No 'Access-Control-Allow-Origin' header is present on the requested resource. 
 Origin 'http://localhost:8000' is therefore not allowed access. 
 The response had HTTP status code 401.

This is how i call the server:

 login: function(credentials) {
        var data = "username=" +  encodeURIComponent(credentials.username) + "&password="
            + encodeURIComponent(credentials.password) + "&grant_type=password&scope=read%20write&" +
            "client_secret=mySecretOAuthSecret&client_id=awhyapp";
        return $http.post('http://localhost:8080/oauth/token', data, {
            headers: {
                "Content-Type": "application/x-www-form-urlencoded",
                "Accept": "application/json",
                "Access-Control-Allow-Origin": "*",
                "Authorization": "Basic " + Base64.encode("awhyapp" + ':' + "mySecretOAuthSecret")
            }
        }).success(function (response) {
            var expiredAt = new Date();
            expiredAt.setSeconds(expiredAt.getSeconds() + response.expires_in);
            response.expires_at = expiredAt.getTime();
            localStorageService.set('token', response);
            return response;
        });

OauthConfigurations:

 @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
        .and()
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
        .and()
            .logout()
            .logoutUrl("/api/logout")
            .logoutSuccessHandler(ajaxLogoutSuccessHandler)
        .and()
            .csrf()
            .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))
            .disable()
            .headers()
            .frameOptions().disable()
        .and()
            .authorizeRequests()
            .antMatchers("/api/authenticate").permitAll()
            .antMatchers("/api/register").permitAll()
            .antMatchers("...").permitAll()
    }
}

i followed the answer in this question (Add headers to oauth/token response (spring-security)) but my problem is that no matter how i configure my Filter class, those functions are never called even if i set the highest priority with @Order annotation.

like image 696
sangra4l Avatar asked Nov 24 '15 17:11

sangra4l


1 Answers

Un-comment cors in application.yml

cors: #By default CORS are not enabled. Uncomment to enable.
        allowed-origins: "*"
        allowed-methods: GET, PUT, POST, DELETE, OPTIONS
        allowed-headers: "*"
        exposed-headers:
        allow-credentials: true
        max-age: 1800

this worked for me when I was having the same error

like image 110
Abhishek Patil Avatar answered Nov 04 '22 16:11

Abhishek Patil