CORS preflight issue about blog HOT 11 CLOSED

Hi
I think I had a similar issue with an older spring-security version. What version of spring and spring-security do you use?

from blog.

Thanks for the quick response, so taking a look the versions are:
Spring: 5.0.5.RELEASE
Spring Boot: 2.0.1.RELEASE
Spring Security Core: 5.0.4.RELEASE

from blog.

Same I use for my demo.

Have you added the cors() configuration in the security config

		http
		  .cors()    // <---------
		    .and()

https://github.com/ralscha/blog/blob/master/jwt/server/src/main/java/ch/rasc/jwt/security/SecurityConfig.java

from blog.

I have indeed I have the same setup for the server you have in the repo, in the security config:

    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .cors().and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                // .httpBasic().and() //optional, if the service wants to be accessed via the browser
                .authorizeRequests()
                    // endPoint configuration requiring authorization
                    .antMatchers("/signup").permitAll()
                    .antMatchers("/login").permitAll()
                    .antMatchers("/public").permitAll()
                    .anyRequest().authenticated().and()
                .apply(new JWTConfigurer(this.tokenProvider));
    }

from blog.

Is there also a @CrossOrigin annotation on the Controller class where the /login mapping is located?

@RestController
@CrossOrigin
public class AuthController {

 @PostMapping("/login")
  public String authorize(@Valid @RequestBody User loginUser,
      HttpServletResponse response) {
      .....
  }
}

from blog.

Indeed I have, I have uploaded my current server code in a repo on (https://github.com/iranicus/JWT_attempt) if you could take a ganders pls :>

from blog.

I will look tomorrow.

One quick thing you could try is to remove

spring.mvc.dispatch-options-request=true

in your application.properties file.

from blog.

Will do that was just added as part of a potential CORS fix, just removed it now but unfortunately no change.

from blog.

I have just tested my application and it works. I will try your project tomorrow.

from blog.

It works when you remove

//@ComponentScan({ "com.rdanby.jwt.security.jwt" })

on the JwtApplication class. This annotation only configures beans in the com.rdanby.jwt.security.jwt package and skips everything else

and add @component on the TokenProvider, because the application needs to inject this bean into other beans.

@Component
public class TokenProvider {

from blog.

Just added this now and it has fixed the issue, thanks loads. There is another issue I have ran into however with the /secret and /authenticate api calls which I'll bring up as a different issue.

from blog.