Uploaded image for project: 'Spring Data REST'
  1. Spring Data REST
  2. DATAREST-573

Add support for Spring Web MVC CORS configuration mechanisms

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6 RC1 (Ingalls)
    • Component/s: Repositories
    • Labels:
      None

      Description

      There's no mechanism for using the new CorsConfiguration CORS support within spring-data-rest.
      See comments in the CORS post: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

      AFAICT, one needs to put the @CrossOrigin directive in the controller, which doesn't exist in spring-data-rest repositories.

        Activity

        Hide
        info@patrick-huetter.de Patrick Hütter added a comment -

        +1, i'm also developing an angular 2 app

        Show
        info@patrick-huetter.de Patrick Hütter added a comment - +1, i'm also developing an angular 2 app
        Hide
        kur1j Kevin Vasko added a comment - - edited

        Is there a workaround for this issue at the moment?

        The only thing I have found is by doing this..

        @Configuration
        public class MyConfiguration {
         
        	@Bean
        	public FilterRegistrationBean corsFilter() {
        		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        		CorsConfiguration config = new CorsConfiguration();
        		config.setAllowCredentials(true);
        		config.addAllowedOrigin("*");
        		config.addAllowedHeader("*");
        		config.addAllowedMethod("*");
        		source.registerCorsConfiguration("/**", config);
        		FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        		bean.setOrder(0);
        		return bean;
        	}
        }
        
        

        from https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

        This seems to work for GET requests but preflighted requests still fail. I get this error message on a DELETE request (even though I have config.addAllowedMehtod("*").

        Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

        Is there a way to work around this until this is included?

        Ended up finding a solution:

        import org.springframework.stereotype.Component;
         
        import javax.servlet.*;
        import javax.servlet.http.HttpServletResponse;
        import java.io.IOException;
         
        /**
         * Note this is a very simple CORS filter that is wide open.
         * This would need to be locked down.
         * Source: http://stackoverflow.com/questions/39565438/no-access-control-allow-origin-error-with-spring-restful-hosted-in-pivotal-web
         */
        @Component
        public class CORSFilter implements Filter {
         
            public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
                HttpServletResponse response = (HttpServletResponse) res;
                response.setHeader("Access-Control-Allow-Origin", "*");
                response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
                response.setHeader("Access-Control-Max-Age", "3600");
                response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
                chain.doFilter(req, res);
            }
         
            public void init(FilterConfig filterConfig) {}
         
            public void destroy() {}
         
        }
        

        Show
        kur1j Kevin Vasko added a comment - - edited Is there a workaround for this issue at the moment? The only thing I have found is by doing this.. @Configuration public class MyConfiguration {   @Bean public FilterRegistrationBean corsFilter() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials( true ); config.addAllowedOrigin( "*" ); config.addAllowedHeader( "*" ); config.addAllowedMethod( "*" ); source.registerCorsConfiguration( "/**" , config); FilterRegistrationBean bean = new FilterRegistrationBean( new CorsFilter(source)); bean.setOrder( 0 ); return bean; } } from https://spring.io/blog/2015/06/08/cors-support-in-spring-framework This seems to work for GET requests but preflighted requests still fail. I get this error message on a DELETE request (even though I have config.addAllowedMehtod("*"). Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Is there a way to work around this until this is included? Ended up finding a solution: import org.springframework.stereotype.Component;   import javax.servlet.*; import javax.servlet.http.HttpServletResponse; import java.io.IOException;   /** * Note this is a very simple CORS filter that is wide open. * This would need to be locked down. * Source: http://stackoverflow.com/questions/39565438/no-access-control-allow-origin-error-with-spring-restful-hosted-in-pivotal-web */ @Component public class CORSFilter implements Filter {   public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletResponse response = (HttpServletResponse) res; response.setHeader( "Access-Control-Allow-Origin" , "*" ); response.setHeader( "Access-Control-Allow-Methods" , "POST, GET, PUT, OPTIONS, DELETE" ); response.setHeader( "Access-Control-Max-Age" , "3600" ); response.setHeader( "Access-Control-Allow-Headers" , "Origin, X-Requested-With, Content-Type, Accept" ); chain.doFilter(req, res); }   public void init(FilterConfig filterConfig) {}   public void destroy() {}   }
        Hide
        olivergierke Oliver Gierke added a comment -

        Comments on the PR.

        Show
        olivergierke Oliver Gierke added a comment - Comments on the PR.
        Hide
        mp911de Mark Paluch added a comment -

        PR comments addressed.

        Show
        mp911de Mark Paluch added a comment - PR comments addressed.
        Hide
        olivergierke Oliver Gierke added a comment -

        That's merged and in place. RepositoryRestConfiguration now exposes a getCorsRegistry() for global setup and @CrossOrigin on a repository is considered, too.

        Show
        olivergierke Oliver Gierke added a comment - That's merged and in place. RepositoryRestConfiguration now exposes a getCorsRegistry() for global setup and @CrossOrigin on a repository is considered, too.

          People

          • Assignee:
            mp911de Mark Paluch
            Reporter:
            bedge42 Bruce Edge
            Last updater:
            Oliver Gierke
          • Votes:
            39 Vote for this issue
            Watchers:
            31 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Agile