Spring-boot angularjs satelizer cors filter

494 Views Asked by At

Have a problem with CORS filter, i think. Because when i send request with Authorization header by Intellij Idea REST Tools, my filter catch a Authorization header.

But when i try to send request from client side from another server, filter does not see my header(return null).

I`m using spring boot, angularjs, salelizer and JWT for build token.

Params for building token on server side.

    private static final JWSHeader JWT_HEADER = new JWSHeader(JWSAlgorithm.HS256);
    private static final String TOKEN_SECRET = "Bearer";
    public static final String AUTH_HEADER_KEY = "Authorization";

My Auth filter

public class AuthFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        String authHeader = httpRequest.getHeader(AuthUtils.AUTH_HEADER_KEY);

        if (StringUtils.isBlank(authHeader) || authHeader.split(" ").length != 2) {
            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, AUTH_ERROR_MSG);
        } else {
            JWTClaimsSet claimSet = null;
            try {
                claimSet = (JWTClaimsSet) AuthUtils.decodeToken(authHeader);
            } catch (ParseException e) {
                httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST, JWT_ERROR_MSG);
                return;
            } catch (JOSEException e) {
                httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST, JWT_INVALID_MSG);
                return;
            }


            // ensure that the token is not expired
            if (new DateTime(claimSet.getExpirationTime()).isBefore(DateTime.now())) {
                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, EXPIRE_ERROR_MSG);
            } else {
                chain.doFilter(request, response);
            }
        }   
    }

    @Override
    public void destroy() { /* unused */ }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException { /* unused */ }

}

My CORS filter in Web Mvc config file

 @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        config.addExposedHeader("Authorization");
        config.addExposedHeader("Content-Type");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }

My security configure

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS,"**").permitAll().and().authorizeRequests()
            .antMatchers( "/index","/api/**", "/auth/**", "/js/**", "/css/**", "/html/**")
            .permitAll().anyRequest().authenticated();

My cliend side configs

function configHttp($httpProvider, $authProvider){
        console.log("sdfd");
        $httpProvider.defaults.headers.common["X-Requested-With"] = 'XMLHttpRequest';
        $httpProvider.defaults.headers.common["Accept"] = "application/json";
        $httpProvider.defaults.headers.common["Content-Type"] = "application/json";

        var token = sessionStorage.getItem("satellizer_token");
        if (token && $authProvider.httpInterceptor) {
            token = $authProvider.authHeader === 'Authorization' ? 'Bearer ' + token : token;
            $httpProvider.defaults.headers.common[$authProvider.authHeader] = token;
        }
    }

    function configAuth($authProvider) {
        $authProvider.httpInterceptor = function() { return true; };
        $authProvider.baseUrl = 'http://localhost:8080';
        $authProvider.loginUrl = '/auth/login';
        $authProvider.signupUrl = '/auth/registration';
        $authProvider.tokenName = 'token';
        $authProvider.storageType = 'sessionStorage';
        $authProvider.authToken = 'Bearer';
        $authProvider.authHeader = 'Authorization';
    }
1

There are 1 best solutions below

0
On

There are a few options described here.

One option would be to annotate your controller method or class with @CrossOrigin.

If you want global config, you could add a new bean. I took this from the Spring doc listed above and modified it so that the mapping is /*. You can modify that path to be suitable for your application. According to the javadoc all origins will be allowed by default.

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurerAdapter() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/*");
        }
    };
}