I have a CORS problem when I try to authenticate to my spring server calling the "oauth/token" endpoint. The server answers with a 401 response
XMLHttpRequest cannot load http://localhost:8080/oauth/token.
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8000' is therefore not allowed access.
The response had HTTP status code 401.
This is how i call the server:
login: function(credentials) {
var data = "username=" + encodeURIComponent(credentials.username) + "&password="
+ encodeURIComponent(credentials.password) + "&grant_type=password&scope=read%20write&" +
"client_secret=mySecretOAuthSecret&client_id=awhyapp";
return $http.post('http://localhost:8080/oauth/token', data, {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Accept": "application/json",
"Access-Control-Allow-Origin": "*",
"Authorization": "Basic " + Base64.encode("awhyapp" + ':' + "mySecretOAuthSecret")
}
}).success(function (response) {
var expiredAt = new Date();
expiredAt.setSeconds(expiredAt.getSeconds() + response.expires_in);
response.expires_at = expiredAt.getTime();
localStorageService.set('token', response);
return response;
});
OauthConfigurations:
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/oauth/token").permitAll()
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.and()
.csrf()
.requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))
.disable()
.headers()
.frameOptions().disable()
.and()
.authorizeRequests()
.antMatchers("/api/authenticate").permitAll()
.antMatchers("/api/register").permitAll()
.antMatchers("...").permitAll()
}
}
i followed the answer in this question (Add headers to oauth/token response (spring-security)) but my problem is that no matter how i configure my Filter class, those functions are never called even if i set the highest priority with @Order annotation.
Un-comment cors in application.yml
cors: #By default CORS are not enabled. Uncomment to enable.
allowed-origins: "*"
allowed-methods: GET, PUT, POST, DELETE, OPTIONS
allowed-headers: "*"
exposed-headers:
allow-credentials: true
max-age: 1800
this worked for me when I was having the same error
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With