CORS Origin Spring Boot Jhipster - pre-flight fails

Question

I am using jhipster v2.27.2 I have enabled cors by uncommenting the lines in the application.yml

jhipster:
async:
    corePoolSize: 2
    maxPoolSize: 50
    queueCapacity: 10000

cors: #By default CORS are not enabled. Uncomment to enable.
    allowed-origins: "*"
    allowed-methods: GET, PUT, POST, DELETE, OPTIONS
    allowed-headers: "*"
    exposed-headers:
    allow-credentials: true
    max-age: 1800

In the "WebConfigurer"

@Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = props.getCors();
        if (config.getAllowedOrigins() != null && !config.getAllowedOrigins().isEmpty()) {
            source.registerCorsConfiguration("/api/**", config);
            source.registerCorsConfiguration("/v2/api-docs", config);
            source.registerCorsConfiguration("/oauth/**", config);
        }
        return new CorsFilter(source);
    }

But still when I request for the access token, I see this error

http://localhost:8080/oauth/token?username=admin&password=admin&grant_type=password&scope=read. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9090' is therefore not allowed access. The response had HTTP status code 401.

Answer 1

Looks like in the default SecurityConfiguration, its not skipping security check for OPTIONS.

Try adding the following antMatcher to the protected void configure(HttpSecurity http) method in SecurityConfiguration.java

.antMatchers(org.springframework.http.HttpMethod.OPTIONS, "/api/**").permitAll()

Answer 2

sometimes this issue will come if you forget to register cors on specified URLs.In WebConfigurer look for corsFilter and and add these line

 log.debug("Registering CORS filter");
        source.registerCorsConfiguration("/api/**", config);

Answer 3

Another option in the SecurityConfiguration.java. Instead of using antMatcher within the configure(HttpSecurity) override, is to add it within the configure(WebSecurity) override...

public void configure(WebSecurity web) throws Exception {
    web.ignoring()
        .antMatchers(HttpMethod.OPTIONS, "/**")