Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Spring Web MVC CORS configuration mechanisms [DATAREST-573] #947

Closed
spring-projects-issues opened this issue Jun 11, 2015 · 14 comments

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Jun 11, 2015

Bruce Edge opened DATAREST-573 and commented

There's no mechanism for using the new CorsConfiguration CORS support within spring-data-rest.
See comments in the CORS post: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

AFAICT, one needs to put the @CrossOrigin directive in the controller, which doesn't exist in spring-data-rest repositories


Referenced from: pull request #233, and commits 40bb8e8, 273dac7, b223a2e, a3870ca, 7e8b137

39 votes, 32 watchers

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jul 31, 2015

Sébastien Deleuze commented

As discussed with Oliver Drotbohm, this will require Spring Data REST to depend on Spring Framework 4.2.

I have detailed a possible solution for CORS support in Spring Data REST without requiring this issue to be resolved in the Stackoverflow answer.

Some implementation notes : supporting Global CORS configuration should be as simple as adding handlerMapping.setCorsConfigurations(getCorsConfigurations()) on each Spring Data REST HandlerMapping instance created in @Configuration classes like RepositoryRestMvcConfiguration. I guess supporting @CrossOrigin on repositories should follow the same principles than what we have done in supporting it on controllers

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Sep 26, 2015

Hendy Irawan commented

+1 for this. Got this (related) issue from spring-projects/spring-boot#4029 (comment)

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jan 27, 2016

Gigen Thomas commented

+1 Need CORS Support for Data Rest

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Mar 22, 2016

Hendy Irawan commented

Please fix this, and it should be promoted to "Major".

The number one reason for having CORS is access to REST services from web client, so it should be easy to enable this for Spring Data REST.

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Apr 7, 2016

Mark Burns commented

+1 I'm surprised more people have not upvoted this one

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented May 5, 2016

Nathan Ward commented

+1 I am looking to deploy an Angular app separately from my Spring Data REST services.

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented May 26, 2016

Silvio Casamassima commented

+1 I'm developing an Angular client app too. Please fix this

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented May 30, 2016

Leonardo commented

+1

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jun 16, 2016

Jia Wern Lim commented

+1 , similarly developing an Angular app

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 8, 2016

Patrick Hütter commented

+1, i'm also developing an angular 2 app

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 13, 2016

Kevin Vasko commented

Is there a workaround for this issue at the moment?

The only thing I have found is by doing this..

@Configuration
public class MyConfiguration {

	@Bean
	public FilterRegistrationBean corsFilter() {
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		CorsConfiguration config = new CorsConfiguration();
		config.setAllowCredentials(true);
		config.addAllowedOrigin("*");
		config.addAllowedHeader("*");
		config.addAllowedMethod("*");
		source.registerCorsConfiguration("/**", config);
		FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
		bean.setOrder(0);
		return bean;
	}
}

from https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

This seems to work for GET requests but preflighted requests still fail. I get this error message on a DELETE request (even though I have config.addAllowedMehtod("*").

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Is there a way to work around this until this is included?

Ended up finding a solution:

import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * Note this is a very simple CORS filter that is wide open.
 * This would need to be locked down.
 * Source: http://stackoverflow.com/questions/39565438/no-access-control-allow-origin-error-with-spring-restful-hosted-in-pivotal-web
 */
@Component
public class CORSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
        chain.doFilter(req, res);
    }

    public void init(FilterConfig filterConfig) {}

    public void destroy() {}

}

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 14, 2016

Oliver Drotbohm commented

Comments on the PR

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 17, 2016

Mark Paluch commented

PR comments addressed

Loading

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 28, 2016

Oliver Drotbohm commented

That's merged and in place. RepositoryRestConfiguration now exposes a getCorsRegistry() for global setup and @CrossOrigin on a repository is considered, too

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants