Add support for Spring Web MVC CORS configuration mechanisms [DATAREST-573]

[spring-projects-issues]

Bruce Edge opened DATAREST-573 and commented

There's no mechanism for using the new CorsConfiguration CORS support within spring-data-rest.
See comments in the CORS post: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

AFAICT, one needs to put the @CrossOrigin directive in the controller, which doesn't exist in spring-data-rest repositories

---

Referenced from: pull request #233, and commits 40bb8e8, 273dac7, b223a2e, a3870ca, 7e8b137

39 votes, 32 watchers

[spring-projects-issues]

Sébastien Deleuze commented

As discussed with Oliver Drotbohm, this will require Spring Data REST to depend on Spring Framework 4.2.

I have detailed a possible solution for CORS support in Spring Data REST without requiring this issue to be resolved in the Stackoverflow answer.

Some implementation notes : supporting Global CORS configuration should be as simple as adding handlerMapping.setCorsConfigurations(getCorsConfigurations()) on each Spring Data REST HandlerMapping instance created in @Configuration classes like RepositoryRestMvcConfiguration. I guess supporting @CrossOrigin on repositories should follow the same principles than what we have done in supporting it on controllers

[spring-projects-issues]

Hendy Irawan commented

+1 for this. Got this (related) issue from spring-projects/spring-boot#4029 (comment)

[spring-projects-issues]

Gigen Thomas commented

+1 Need CORS Support for Data Rest

[spring-projects-issues]

Hendy Irawan commented

Please fix this, and it should be promoted to "Major".

The number one reason for having CORS is access to REST services from web client, so it should be easy to enable this for Spring Data REST.

[spring-projects-issues]

Mark Burns commented

+1 I'm surprised more people have not upvoted this one

[spring-projects-issues]

Nathan Ward commented

+1 I am looking to deploy an Angular app separately from my Spring Data REST services.

[spring-projects-issues]

Silvio Casamassima commented

+1 I'm developing an Angular client app too. Please fix this

[spring-projects-issues]

Leonardo commented

+1

[spring-projects-issues]

Jia Wern Lim commented

+1 , similarly developing an Angular app

[spring-projects-issues]

Patrick Hütter commented

+1, i'm also developing an angular 2 app

[spring-projects-issues]

Kevin Vasko commented

Is there a workaround for this issue at the moment?

The only thing I have found is by doing this..

@Configuration
public class MyConfiguration {

	@Bean
	public FilterRegistrationBean corsFilter() {
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		CorsConfiguration config = new CorsConfiguration();
		config.setAllowCredentials(true);
		config.addAllowedOrigin("*");
		config.addAllowedHeader("*");
		config.addAllowedMethod("*");
		source.registerCorsConfiguration("/**", config);
		FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
		bean.setOrder(0);
		return bean;
	}
}

from https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

This seems to work for GET requests but preflighted requests still fail. I get this error message on a DELETE request (even though I have config.addAllowedMehtod("*").

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Is there a way to work around this until this is included?

Ended up finding a solution:

import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * Note this is a very simple CORS filter that is wide open.
 * This would need to be locked down.
 * Source: http://stackoverflow.com/questions/39565438/no-access-control-allow-origin-error-with-spring-restful-hosted-in-pivotal-web
 */
@Component
public class CORSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
        chain.doFilter(req, res);
    }

    public void init(FilterConfig filterConfig) {}

    public void destroy() {}

}

[spring-projects-issues]

Oliver Drotbohm commented

Comments on the PR

[spring-projects-issues]

Mark Paluch commented

PR comments addressed

[spring-projects-issues]

Oliver Drotbohm commented

That's merged and in place. RepositoryRestConfiguration now exposes a getCorsRegistry() for global setup and @CrossOrigin on a repository is considered, too