Simplest Way to Enable All CORS for SpringBootApplication.

I'm trying to get CORS working in a very simple SpringBootApplication, but I keep hitting the CORS issue - when calling the GET from the browser:

@SpringBootApplication public class SWApplication { public static void main(String[] args) { SpringApplication.run(TestApplication.class, args); } @Bean public WebMvcConfigurer corsConfigurer() { return new WebMvcConfigurer() { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**"); } }; } }

From what I read - this is all I should need to open up CORS for everything... but it still doesn't work... Am I missing something?

I think what you wrote should work.

How do you know that it doesn't? How are you sending the request? What error message are you getting?

Stephan van Hulst wrote:I think what you wrote should work.

How do you know that it doesn't? How are you sending the request? What error message are you getting?

For example in my FIREFOX console - if I put the following:

await fetch("https://12.345.678.90:8081/myAPI/test", {    "credentials": "omit",    "referrer": "https://12.345.678.90:8080/",    "method": "GET",    "mode": "cors" });

I get the following:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://12.345.678.90:8081/myAPI/test. (Reason: CORS request did not succeed)



Here's something very strange though - I do have a SWAGGER page setup at https://12.345.678.90:8081/myAPI/swagger-ui/.

If goto that page first - and then use the FIREFOX console fetch command once more - the GET request goes through the 2nd time...

Can you show us the requests and responses that the network analyzer displays when you send those requests?

Stephan van Hulst wrote:Can you show us the requests and responses that the network analyzer displays when you send those requests?

This is what FIREFOX is showing in the NETWORK tab:

XHR OPTIONS https://12.345.678.90:8081/myAPI/test


HEADERS
Accept
*/*
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Access-Control-Request-Headers
role
Access-Control-Request-Method
GET
Connection
keep-alive
DNT
1
Host
12.345.678.90:8081
Origin
https://12.345.678.90:8080
Referer
https://12.345.678.90:8080/
User-Agent
Mozilla/5.0 Gecko Firefox/87.0

No RESPONSE whatsoever

Security does show a:
An error occurred: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

Not sure if this is relevant since I'm testing my own SSL implementation here as well...

From what I understand the CORS config I did here should ALLOW just about EVERYTHING to go through - GET/POST/OPTION - any ORIGIN - any PORTS - etc...

As you are probably aware looking at this - my webpage is hosted on the 8080 PORT and my Spring Boot API is on the 8081 PORT of the same IP...

Perry Terrance wrote:No RESPONSE whatsoever

I find this extremely suspect. Even if the service at port 8081 doesn't doesn't allow the request from the script hosted at port 8080, it should still send an (empty) message in response to the OPTIONS request with the response headers set in such a way that it indicates that the preflight failed. No response at all indicates that the culprit is something other than CORS.

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
Not sure if this is relevant since I'm testing my own SSL implementation here as well...

This is very likely.

I suggest you try the request over HTTP first to see if CORS is working as expected, and then fix your SSL issues. Note by fixing SSL issues I don't mean fixing your SSL implementation. I mean throwing it away and use something standard. Why are you using your own implementation?

Regardless, your problem is probably solved when you install the self-signed certificate into Firefox' or your operating system's trust store.

As you are probably aware looking at this - my webpage is hosted on the 8080 PORT and my Spring Boot API is on the 8081 PORT of the same IP...

Yes.

Hi Perry,
You may want to try to run this tutorial and see if it works for you:
https://github.com/Java-Techie-jt/spring-security-cors-example