CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource

Question

I have created two web applications - client and service apps.
The interaction between client and service apps goes fine when they are deployed in same Tomcat instance.

Answer 1

In my case, I have Resource Server with OAuth security enabled and any of above solutions didn't work. After some debugging and googling figured why.

@Bean
public FilterRegistrationBean corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("*");
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
    return bean;
}

Basically in this example Ordered.HIGHEST_PRECEDENCE is key!

https://github.com/spring-projects/spring-security-oauth/issues/938

Various pom dependencies add different kinds of filters and therefore we could have issues based on order.