How to enable CORS for Error Response in Spring MVC?

Question

I'm working on application where I use Spring MVC for the Back-end and Angular5 for the Front-end. I have been stuck with implementation of Auth2 security layer including Cross-Origin Resource Sharing. My CORS filter implementation looks like this:

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
@WebFilter("/*")
public class WebSecurityCorsFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse) response;
        res.setHeader("Access-Control-Allow-Origin", "*");
        res.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
        res.setHeader("Access-Control-Max-Age", "3600");
        res.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, Accept, x-requested-with, Cache-Control");


        if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) request).getMethod())) {
            res.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(request, res);
        }

    }
    @Override
    public void destroy() {
    }
}

I works almost properly, I'm able to obtain access_token and use it to get protected data from ResourcesServer:

{"access_token":"4fcef1f8-4306-4047-9d4d-1c3cf74ecc44","token_type":"bearer","refresh_token":"397016eb-dfb0-4944-a2e0-50c3bd07c250","expires_in":29,"scope":"read write trust"}

Browser console screenshot

The problem starts when I try to handle the request using expired token. In such case I'm not able to catch the correct ErrorResponeCode by Angular. Instead of 401 i Angular HttpClient got "Unknown Error" with status:0.

It looks like the problem is with CORS policy where the ErrorResponse doesn't include neccessery headers like Access-Control-Allow-Origin (...)

Failed to load http://localhost:8030/api/xxxx: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8070' is therefore not allowed access. The response had HTTP status code 401.

ErrorResponse Headers - Screenshot

I have searched for how to enable CORS for ErorrResponse (InvalidTokenException etc.) in Spring MVC . I tried with various approach: accessDeniedHandler and setExceptionTranslator but without success. I really made effort to find the solution myself but I'm a beginner in Spring. I am not sure if this is possible at all.

ANGULAR (UPDATE)

@hrdkisback, it's rather not angular issue, anyway this my code :

@Injectable()

export class HttpInterceptorService implements HttpInterceptor {


    addToken(req: HttpRequest<any>, oauthService: AuthenticationService): HttpRequest<any> {

        if(oauthService.isTokenExist()){

            return req.clone({ setHeaders: { Authorization: 'Bearer ' + oauthService.getAccessToken() }})
        }

        return req;
    }


    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpSentEvent | HttpHeaderResponse | HttpProgressEvent | HttpResponse<any> | HttpUserEvent<any>> {

        let oauthService = this.inj.get(AuthenticationService);

        return next.handle(this.addToken(req,oauthService))

        .do((event: HttpEvent<any>) => {

            if (event instanceof HttpResponse) {

                // process successful responses here

            }
        }, (error: any) => { 

            if (error instanceof HttpErrorResponse) {

                // Error 

                console.log(error);
            }
        });

    }
}

Answer 1

Issue solved after I added my CORS filter on ResourcesServer configuration level like this:

The correct configuration that works for me!

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {


    @Override
        public void configure(HttpSecurity http) throws Exception {

            http
            .addFilterAfter(new WebSecurityCorsFilter(), CsrfFilter.class)
            ...
        }
   ....
}

In my previous configuration I added the filter in the same way but on the top level of MVC Security Configuration and it was the root couse of my issue:

The previous configuration that caused my issue

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {



    @Override
            public void configure(HttpSecurity http) throws Exception {

                http
                .addFilterAfter(new WebSecurityCorsFilter(), CsrfFilter.class)
                ...
            }
       ....
    }