I am new to CORS headers and implementing with Spring boot. I am enabling CORS header on POST service which accept request body.
First time preflight request is made which runs fine and return 200 but when actual post request is invoked, it always return 403 forbidden with response body "Invalid CORS request". I have read almost all spring docs and all google/stackoverflow discussions but could not find out what am I missing..huh..
In Below snippet I have tested by adding crossOrigin at top of class and top of method but no luck.
#CrossOrigin(origins = "https://domain/", allowCredentials = "false")
#RequestMapping(value = ApplicationConstants.URI_PATH)
class MainController {
#RequestMapping(value = '/postMethod', method = RequestMethod.POST)
Map<String, Object> postMethod(HttpServletResponse servletResponse,
#RequestBody(required = false) AccessToken requestedConsumerInfo) {...}
For POST method - Preflight request is invoked and result is 200 but main POST call returns 403.
Call with OPTIONS: Status code 200
Response headers (616 B)
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers content-type
Access-Control-Allow-Methods POST
Access-Control-Allow-Origin https://domain
Allow GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Cache-Control max-age=0, private, no-cache, …roxy-revalidate, no-transform
Connection close
Content-Length 0
Date Wed, 20 Dec 2017 17:57:14 GMT
Pragma no-cache
Server nginx/1.9.1
Strict-Transport-Security max-age=63072000; includeSubdomains;
Vary Origin,User-Agent
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
Request headers (512 B)
Accept text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Access-Control-Request-Headers content-type
Access-Control-Request-Method POST
Connection keep-alive
Host domain
Origin https://domain
User-Agent Mozilla/5.0 (Windows NT 6.1; W…) Gecko/20100101 Firefox/57.0
Call with POST: Status code 403
Response headers (364 B)
Cache-Control max-age=0, private, no-cache, …roxy-revalidate, no-transform
Connection close
Content-Length 20
Date Wed, 20 Dec 2017 17:57:14 GMT
Pragma no-cache
Server nginx/1.9.1
Strict-Transport-Security max-age=63072000; includeSubdomains;
Vary User-Agent
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
Request headers (2.507 KB)
Accept application/json, text/plain, */*
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Connection keep-alive
Content-Length 102
Content-Type application/json
Cookie rxVisitor=1513720811976ARCUHEC…B4SL3K63V8|6952d9a33183e7bc|1
Host domain
Origin https://domain
Referer https://domain/home/account/register
User-Agent Mozilla/5.0 (Windows NT 6.1; W…) Gecko/20100101 Firefox/57.0
Since this was not working, I have also tested by adding global configurations alone and also along with above snippet but no luck.
#Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurerAdapter() {
#Override
void addCorsMappings(CorsRegistry registry) {
super.addCorsMappings(registry);
registry.addMapping(ApplicationConstants.MEMBER_URL_PATH)
.allowedOrigins("https://domain/")
.allowedMethods(HttpMethod.GET.toString(),
HttpMethod.POST.toString(), HttpMethod.PUT.toString());
}
}
}
On the preflight OPTIONS request, the server should respond with all the following (looks like you're doing this already):
Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials (if cookies are passed)
On the actual POST request, you'll need to return at least Access-Control-Allow-Origin and Access-Control-Allow-Credentials. You're not currently returning them for the POST response.
I had the same issue, then used the annotation #CrossOrigin and it works fine, but just for GET, when I tried to make a POST I still got Cross Origin error, then this fixed for me:
Create an interceptor and added the Access Controll headers to the response.
(You might not need all of them)
public class AuthInterceptor extends HandlerInterceptorAdapter {
#Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
return true;
}
#Override
public void postHandle(HttpServletRequest request, HttpServletResponse httpResponse, Object handler, ModelAndView modelAndView)
throws Exception {
httpResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
httpResponse.setHeader("Access-Control-Allow-Headers", "*");
httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
httpResponse.setHeader("Access-Control-Max-Age", "4800");
}
}
Then add the interceptor:
#Configuration
#EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
#Override
public void addInterceptors(InterceptorRegistry registry) {
System.out.println("++++++ WebConfig addInterceptors() ");
registry.addInterceptor(new AuthInterceptor()).addPathPatterns("/**");
}
}
I hope this save you some time, it took me a while to get this working .
Related
I currently try to set up a Xtext web editor with "Context Mapper" as DSL.
The backend is a basic Spring Boot backend with the Context Mapper DSL and Context Mapper LSP (Language Server).
The frontend is a VueJS frontend made with the help of this guide. It utilizes everything Eclipse Xtext generates and ports it to a VueJS website.
My only issue now is that the "/xtext-service/*" API return CORS errors with HTTP code 404 while the console of the backend prints absolutely nothing.
The Servlet looks like every other XtextServlet:
#WebServlet(name = "XtextServices", urlPatterns = "/xtext-service/*")
#SuppressWarnings("all")
public class ContextMappingDSLServlet extends XtextServlet {
private DisposableRegistry disposableRegistry;
#Override
public void init() {
try {
super.init();
final Injector injector = new ContextMappingDSLWebSetup().createInjectorAndDoEMFRegistration();
this.disposableRegistry = injector.<DisposableRegistry>getInstance(DisposableRegistry.class);
} catch (Throwable _e) {
throw Exceptions.sneakyThrow(_e);
}
}
#Override
public void destroy() {
if ((this.disposableRegistry != null)) {
this.disposableRegistry.dispose();
this.disposableRegistry = null;
}
super.destroy();
}
}
The requests are also the standard requests the Xtext generated web editor invokes and the occurrences request goes through it seems:
Response:
HTTP/1.1 404
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://localhost:8081
Access-Control-Allow-Credentials: true
Content-Type: application/json
Transfer-Encoding: chunked
Date: Fri, 21 Oct 2022 16:03:19 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Request:
GET /xtext-service/occurrences?resource=1e26589b.cml&caretOffset=1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,de;q=0.8
Cache-Control: no-cache
Connection: keep-alive
Cookie: JSESSIONID=CDE6CC29EE123451F3DF3FF174337EE3
Host: localhost:8080
Origin: http://localhost:8081
Pragma: no-cache
Referer: http://localhost:8081/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
The requests to http://localhost:8080/xtext-service/occurrences?resource=1e26589b.cml&caretOffset=1 returns 404 while update throws
Access to XMLHttpRequest at 'http://localhost:8080/xtext-service/update?resource=1e26589b.cml' from origin 'http://localhost:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
CORS however is enabled:
#Configuration
#EnableWebMvc
public class WebConfiguration implements WebMvcConfigurer {
#Override
public void addCorsMappings(CorsRegistry registry) {
registry
.addMapping("/**")
.allowedMethods(CorsConfiguration.ALL)
.allowedHeaders(CorsConfiguration.ALL)
.allowedOriginPatterns(CorsConfiguration.ALL)
.allowCredentials(true);
}
}
The non-servlet APIs do work without any issues, but the Xtext-service servlet doesn't, and I don't know why.
#ServletComponentScan is enabled.
This question already has answers here:
CORS allowed-origin restrictions aren’t causing the server to reject requests
(3 answers)
Why isn't my CORS configuration causing the server to filter incoming requests? How can I make the server only accept requests from a specific origin?
(1 answer)
CORS-enabled server not denying requests
(2 answers)
Closed 3 years ago.
I have configured cors for zuul to check the origin etc.
Below is the code I added in zuul service, my zull proxy forward this request to back service and I want this cors to be tested on zuul before sending to back end micro service
#Component
#Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCORSFilter implements Filter {
Logger logger = LoggerFactory.getLogger(SimpleCORSFilter.class);
#Value("${myserver.origin}")
private String origin;
public SimpleCORSFilter() {
logger.info("SimpleCORSFilter init");
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
response.setHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type, x-requested-with, Accept,username,idType");
response.setHeader("Access-Control-Max-Age", "3600");
/*
if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) req).getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
*/
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {
}
public void destroy() {}
}
I have configured myserver.origin=http://172.160.128.10:9898
In Chrome browser I am getting as failed(403) error
From Chrome I captured the log.
General:
Request URL: http://172.160.128.10:9898/api/test
Request Method: OPTIONS
Status Code: 403
Remote Address: 172.160.128.10:9898
Referrer Policy: no-referrer-when-downgrade
Response Headers
Access-Control-Allow-Headers: Authorization,Content-Type,Accept,username
Access-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETE
Access-Control-Allow-Origin: http://172.160.128.60:8080
Access-Control-Max-Age: 3600
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
Date: Fri, 04 Oct 2019 12:12:32 GMT
Transfer-Encoding: chunked
Request Headers
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Origin: http://172.160.128.10:8080
Referer: http://172.160.128.10:8080/api/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
So from browser it is getting failed though it is sending correct fields
NOTE
Suggested answer didn't work.
I have the following configuration in WebSecurityConfigurerAdapter:
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userSearchBase("somevalue")
.userSearchFilter("somevalue")
.contextSource().url("somevalue").port("somevalue")
.managerDn("somevalue").managerPassword("somevalue");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/*.css", "/*.html", "/*.js", "/*.jpg").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login")
.loginProcessingUrl("/auth")
.permitAll();
}
And this is my configuration in WebMvcConfigurer:
#Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/*.css", "/*.html", "/*.js", "/*.jpg")
.addResourceLocations("classpath:/static/");
registry.addResourceHandler("/", "/login", "/myapp")
.addResourceLocations("classpath:/static/index.html")
.resourceChain(true)
.addResolver(new PathResourceResolver() {
#Override
protected Resource getResource(String resourcePath, Resource location) {
if (resourcePath.startsWith("/api") || resourcePath.startsWith("/api".substring(1))) {
return null;
}
return location.exists() && location.isReadable() ? location : null;
}
});
}
WHen I click on login button I send the following request in angular:
this.http.post(`localhost:8080/auth`, {username: 'user', password: 'password'})...
But I only got redirected to /login. Here's the network console:
auth 302
login 200
Here's the request (/auth) headers and body:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 47
Content-Type: application/json
Cookie: JSESSIONID=*****somecookie*****
Host: localhost:8080
Origin: http://localhost:8080
Referer: http://localhost:8080/login
Payload:
{username: "user", password: "password"}
General:
Request URL: http://localhost:8080/auth
Request Method: POST
Status Code: 302
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade
Response headers:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Fri, 01 Mar 2019 10:49:09 GMT
Expires: 0
Location: http://localhost:8080/login
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
And here's when it redirects to /login:
General:
Request URL: http://localhost:8080/login
Request Method: GET
Status Code: 200
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade
Request:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: JSESSIONID=*****somecookie*****
Host: localhost:8080
Referer: http://localhost:8080/login
Basically, the response body is the content of my index.html.
And in the console it says:
error: {error: SyntaxError: Unexpected token < in JSON at position 0 at JSON.parse...
headers: e {normalizedNames: Map(0), lazyUpdate: null, lazyInit: ƒ}
message: "Http failure during parsing for http://localhost:8080/login"
name: "HttpErrorResponse"
ok: false
status: 200
statusText: "OK"
url: "http://localhost:8080/login"
Also, is my ldap config correct?
How to properly configure for ldap authentication?
UPDATE
As per recommendation, I changed my code to send the body as http params. The request is now this:
Request Headers:
Content-Type: application/x-www.form-urlencoded;charset=UTF-8
Form Data
username=user&password=password
It still the same issue
The answer to my question is the missing csrf. If I don't disable csrf, spring security seems to look for this, otherwise, my request gets rerouted back to login page. I fixed by adding the following:
http.csrf().disable()
For the Request method 'POST' not supported during /login, in my AuthenticationSuccessHandler.onAuthenticationSuccess(), I put
request.getRequestDispatcher(targetURI).forward(request, response);
Instead, I just set the reponse with a string value:
response.getOutputStream().println(mapper.writeValueAsString(data));
Hello I want to make an request to my Spring server. Now I'm getting an error because of an restricted CORS option.
So I added an filter because the annotations doensn't work:
#Component
public class CORSFilter implements Filter {
public CORSFilter() {
}
#Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");
chain.doFilter(request, response);
}
#Override
public void init(FilterConfig filterConfig) {
}
#Override
public void destroy() {
}}
Now my problem is, that the cors filter won't work on an dart request.
On an normal browser request the header is set but not in the dart http request.
Is there any solution which could fix this problem?
Update 23.09.2016:
Here is the http://pastebin.com/9KNfx7Jd
The problem is that the filter is not affected to this http call.
Only when I access the file via URL in the browser it works.
Here with ajax:
Remote Address:127.0.0.1:8090
Request URL:http://localhost:8090/time/time/login
Request Method:OPTIONS
Status Code:401 Unauthorized
Response Headers
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:114
Content-Type:text/html;charset=UTF-8
Date:Fri, 23 Sep 2016 12:57:55 GMT
Expires:0
Pragma:no-cache
Server:WildFly/10
Set-Cookie:JSESSIONID=ZIkzLq-iALC6CDx7r6LhPz_8PiD05Q9ufod6GluZ.ccn6dc2; path=/time
WWW-Authenticate:Basic realm="Realm"
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-Powered-By:Undertow/1
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:content-type
Access-Control-Request-Method:GET
Connection:keep-alive
Host:localhost:8090
Origin:http://localhost:8080
Referer:http://localhost:8080/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.104 (Dart) Safari/537.36
And here without:
Remote Address:127.0.0.1:8090
Request URL:http://localhost:8090/time/time/login
Request Method:GET
Status Code:200 OK
Response Headers
view source
Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:5
Content-Type:text/html;charset=ISO-8859-1
Date:Fri, 23 Sep 2016 13:10:36 GMT
Expires:0
Pragma:no-cache
Server:WildFly/10
Set-Cookie:JSESSIONID=nQFjGB2m7ovHVT9VUnhtCJSXZvEZV4WWH0YCrgFk.ccn6dc2; path=/time
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-Powered-By:Undertow/1
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Authorization:Basic c2tvYmxlcjpTMW1vbjUyNzli
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=oHJ4GvQ8pFNv8HSujI49NRXQxoVSVMM580sSrvJW.ccn6dc2
Host:localhost:8090
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.104 (Dart) Safari/537.36
Edit 26.09.2016:
Okay I changed now my SecurityConfig to this:
#Override
protected void configure(final HttpSecurity http) throws Exception {
super.configure(http);
http.addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll();
http.authorizeRequests().antMatchers("/**").authenticated();
}
now the filter is beeing called but I get now a new error: Response for preflight has invalid HTTP status code 401
Headers:
Access-Control-Allow-Origin:*
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:114
Content-Type:text/html;charset=UTF-8
Date:Mon, 26 Sep 2016 12:30:39 GMT
It looks like your filter is not applied for OPTIONS requests.
A comment to this blog post indicates that OPTIONS requests need to be enabled explicitly:
https://spring.io/blog/2015/06/08/cors-support-in-spring-framework
One "gotcha" that I found when working with CORS with Spring MVC (when using a Filter or HandlerInterceptor) and Spring Security is that you need to explicitly permit all OPTIONS requests to properly handle the pre-flight. The W3C specification for CORS says that pre-flight requests should not send credentials, however I have found that some browsers do send the credentials, and others don't. So if you don't permitAll OPTIONS you get a 403 if the browser is not sending the credentials.
Will pre-flights requests be something that will need to be specifically configured when using Spring Security or will the pre-flight be handled before the filter chain?
See also
Disable Spring Security for OPTIONS Http Method
Enable CORS for OPTIONS request using Spring Framework
How to handle HTTP OPTIONS with Spring MVC?
How to handle HTTP OPTIONS requests in Spring Boot?
Spring and HTTP Options request
Ok I worked around with disabling the web security for chromium.
Thanks to all of you for helping me :)
I have written a spring rest service. When i was running it on localhost it was running well
$.ajax({
url:"http://localhost:8080/api/v1.0/basicSignup",
type:"POST",
contentType:"application/json",
but when i tried & hosted on some remote server
$.ajax({
url:"http://X.X.X.X/api/v1.0/basicSignup",
type:"POST",
contentType:"application/json",
it throwing error
In chrome
XMLHttpRequest cannot load http://X.X.X.X/api/v1.0/basicSignup.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:8084' is therefore not allowed access.
In console i see that in Method tab it show options
In mozilla also it shows OPTIONS.
Response Headersview source
Allow GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Content-Length 0
Date Sat, 15 Aug 2015 15:15:07 GMT
Server Apache-Coyote/1.1
Request Headersview source
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-us,en;q=0.5
Access-Control-Request-He... content-type
Access-Control-Request-Me... POST
Cache-Control no-cache
Connection keep-alive
DNT 1
Host X.X.X.X
Origin null
Pragma no-cache
User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
As #JB's comment says, you might need to implement CORS. Basically, the single origin policy wouldn't allow JavaScript from one domain, say http://localhost:8084 to make AJAX calls to another domain, say http://X.X.X.X by default. There are some mechanisms for handling this, but people seem to prefer CORS, because generally it looks most convenient and powerful.
Spring Lemon exhibits how to use CORS in details. Below is an example from another project of mine:
In the client code, I would set up these ajax options initially (or along with each call)
$.ajaxSetup({ // Initialize options for AJAX calls
crossDomain: true,
xhrFields: {
withCredentials: true
}
...
});
At the server side, have a filter which will set the CORS headers. The latest version of Spring (which would come along with Spring Boot 1.3) has an easier way to configure CORS at the server side. But, in one project using Spring Boot 1.2, I would have it like this:
#Component
#Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
#Value("${applicationUrl:http://localhost:8084}")
String applicationUrl;
public void doFilter(ServletRequest req,
ServletResponse res,
FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
response.setHeader("Access-Control-Allow-Origin",
applicationUrl); // "*" does not work when withCredentials = true;
response.setHeader("Access-Control-Allow-Methods",
"GET, POST, PUT, PATCH, DELETE, OPTIONS");
response.setHeader("Access-Control-Max-Age",
"3600");
response.setHeader("Access-Control-Allow-Headers",
"x-requested-with,origin,content-type,accept,X-XSRF-TOKEN");
response.setHeader("Access-Control-Allow-Credentials", "true"); // needed when withCredentials = true;
HttpServletRequest request = (HttpServletRequest) req;
if (!request.getMethod().equals("OPTIONS"))
chain.doFilter(req, res);
}
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
Set applicationUrl in application.properties, like this
applicationUrl: http://X.X.X.X