I'm trying to make CORS play nicely with Spring Security but it's not complying. I made the changes described in this article and changing this line in applicationContext-security.xml
has got POST and GET requests working for my app (temporarily exposes controller methods, so I can test CORS):
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="permitAll" />
Unfortunately the following URL which allows Spring Security logins through AJAX isn't responding: http://localhost:8080/mutopia-server/resources/j_spring_security_check
. I am making the AJAX request from http://localhost:80
to http://localhost:8080
.
When attempting to access j_spring_security_check
I get (pending)
in Chrome for the OPTIONS preflight request and AJAX call returns with HTTP status code 0 and message "error".
The preflight succeeds with HTTP status code 302 and I still get the error callback for my AJAX request directly afterwards with HTTP status 0 and message "error".
function get(url, json) { var args = { type: 'GET', url: url, // async: false, // crossDomain: true, xhrFields: { withCredentials: false }, success: function(response) { console.debug(url, response); }, error: function(xhr) { console.error(url, xhr.status, xhr.statusText); } }; if (json) { args.contentType = 'application/json' } $.ajax(args); } function post(url, json, data, dataEncode) { var args = { type: 'POST', url: url, // async: false, crossDomain: true, xhrFields: { withCredentials: false }, beforeSend: function(xhr){ // This is always added by default // Ignoring this prevents preflight - but expects browser to follow 302 location change xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); xhr.setRequestHeader("X-Ajax-call", "true"); }, success: function(data, textStatus, xhr) { // var location = xhr.getResponseHeader('Location'); console.error('success', url, xhr.getAllResponseHeaders()); }, error: function(xhr) { console.error(url, xhr.status, xhr.statusText); console.error('fail', url, xhr.getAllResponseHeaders()); } } if (json) { args.contentType = 'application/json' } if (typeof data != 'undefined') { // Send JSON raw in the body args.data = dataEncode ? JSON.stringify(data) : data; } console.debug('args', args); $.ajax(args); } var loginJSON = {"j_username": "username", "j_password": "password"}; // Fails post('http://localhost:8080/mutopia-server/resources/j_spring_security_check', false, loginJSON, false); // Works post('http://localhost/mutopia-server/resources/j_spring_security_check', false, loginJSON, false); // Works get('http://localhost:8080/mutopia-server/landuses?projectId=6', true); // Works post('http://localhost:8080/mutopia-server/params', true, { "name": "testing", "local": false, "generated": false, "project": 6 }, true);
Please note - I can POST to any other URL in my app via CORS except the Spring Security login. I've gone through lots of articles, so any insight into this strange issue would be greatly appreciated
Cross-Origin Resource Sharing (CORS) is a security concept that allows restricting the resources implemented in web browsers. It prevents the JavaScript code producing or consuming the requests against different origin.
You need to add @CrossOrigin annotation by yourself to get CORS Support in Spring. Why: Enabling CORS (Cross-origin resource sharing) by default will be a serious security issue.
Controller Method CORS Configuration This @CrossOrigin annotation enables cross-origin resource sharing only for this specific method. By default, its allows all origins, all headers, and the HTTP methods specified in the @RequestMapping annotation. Also, a maxAge of 30 minutes is used.
I was able to do this by extending UsernamePasswordAuthenticationFilter... my code is in Groovy, hope that's OK:
public class CorsAwareAuthenticationFilter extends UsernamePasswordAuthenticationFilter { static final String ORIGIN = 'Origin' @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response){ if (request.getHeader(ORIGIN)) { String origin = request.getHeader(ORIGIN) response.addHeader('Access-Control-Allow-Origin', origin) response.addHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE') response.addHeader('Access-Control-Allow-Credentials', 'true') response.addHeader('Access-Control-Allow-Headers', request.getHeader('Access-Control-Request-Headers')) } if (request.method == 'OPTIONS') { response.writer.print('OK') response.writer.flush() return } return super.attemptAuthentication(request, response) } }
The important bits above:
You need to declare this bean in your Spring configuration. There are many articles showing how to do this so I won't copy that here.
In my own implementation I use an origin domain whitelist as I am allowing CORS for internal developer access only. The above is a simplified version of what I am doing so may need tweaking but this should give you the general idea.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With