Response for preflight has invalid HTTP status code 401 - Spring

匿名 (未验证) 提交于 2018-03-17 14:56:01


everyone. I'm new to Angular 2 and Spring Framework. I'm trying a simple get request with an authorization header (basic auth).

I'm using Spring Boot (1.2.6.RELEASE), which can also be relevant. My CORS configuration looks like this.

public class SimpleCorsFilter implements Filter {

private final Logger log = LoggerFactory.getLogger(SimpleCorsFilter.class);

public SimpleCorsFilter() {"SimpleCORSFilter init");

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
    response.setHeader("Access-Control-Allow-Credentials", "true");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me, authorization, x-auth-token");

    chain.doFilter(req, res);

public void init(FilterConfig filterConfig) {

public void destroy() {


And here's what it looks like from the client side

    this.headers.append('Authorization', 'Basic dXNlcjphZG1pbg==');
    return this.http
            .get(`http://localhost:8080/api/login?username=${username}`, {headers : this.headers} )
            .map(response => response.json().data as any);

I keep getting:

XMLHttpRequest cannot load http://localhost:8080/api/login?username=user. Response for preflight has invalid HTTP status code 401

Please help, i don't know what i'm missing... I checked around a lot of posts already but couldn't get there...


avoid filtering and set status 200 when http method is OPTIONS

if("OPTIONS".equalsIgnoreCase(request.getMethod())) {
} else {
    chain.doFilter(req, res);


If there is anyone getting into the similar situation working around with Spring Boot, Spring Security and clients like angular 2/4, I've posted the findings here.

For those who are looking for a short answer, you have to configure two things:

  1. With Spring Boot, the recommended way to enable global CORS is to declare within Spring MVC and combined with fine-grained @CrossOrigin configuration as:

    public class CorsConfig {
        public WebMvcConfigurer corsConfigurer() {
            return new WebMvcConfigurerAdapter() {
                public void addCorsMappings(CorsRegistry registry) {
                    registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*")
  2. Then, while working with Spring Security, you have to enable CORS at Spring Security level as well to allow it to leverage the configuration defined at Spring MVC level as:

    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {



Another option as in spring security guide:

in security config class which extends WebSecurityConfigurerAdapter configure cors()

  protected void configure(HttpSecurity http) throws Exception {

                        .cors().and().**this will use corsConfigurationSource by** default.

    so lets define corsConfigurationSource

    // other criteria

**so lets define corsConfigurationSource**

@Bean CorsConfigurationSource corsConfigurationSource() { 

CorsConfiguration configuration = new CorsConfiguration(); 


configuration.setAllowedMethods(Arrays.asList("GET", "POST")); 

UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

source.registerCorsConfiguration("/**", configuration);



This could be very late but this could solve some ones problem, after long hours i found the answer

public class SecurityConfig extends WebSecurityConfigurerAdapter
    public void configure( WebSecurity web ) throws Exception
        web.ignoring().antMatchers( HttpMethod.OPTIONS, "/**" );