Spring-MVC application URL CORS issue

In ou application we are using AngularJS, SpringMVC 5, Tomcat and single-sign-on (SSO). Issue is when the application session is timed-out or Invalid session, the application URL is not redirected back to login page. I am getting CORS error message.

I referred to the below link by changing the dispatcher-servlet and spring-security settings but it did not work.
https://stackoverflow.com/questions/46897681/issue-when-enable-cors-on-spring-security

Here is the sample JavaScript code for Invalid Session and Session timeout, please help how to apply CORS on the below code.

//Invalid Session TestApp.factory('respInterceptor', function($location, $window, $cookies) { return { response: function(resp) { //console.log(" Test : " + JSON.stringify(resp)); return resp; }, responseError : function(error) { console.log(" Error >>> : "+error.status ) if(error.status == 401 || error.status == 302) { $cookies.JSESSIOINID = ''; console.log("invalid session"); window.location = "http://login.boshiftdev.com/app/ui/login.jsp"; } } }; }) //Session Timeout $scope.logout = function() { $cookies.JSESSIOINID = ''; console.log("logout"); $http({ method: 'POST', url: contextURL+'/logout', headers: {'Content-Type': 'application/json'}, params: {data: $rootScope.userSession } }). success (function(data) { $rootScope.userSession = null; $window.location = 'login.jsp'; window.location = "" }). error (function(data) { $rootScope.userSession = null; $window.location= 'login.jsp'; console.error(''); }); }

dispatcher-servlet
<mvc: annotation-driven /> <context: annotation-config /> <context:component-scan base-package="com.books.book.utils" /> <context:component-scan base-package="com.books.book.vamp" /> <!-- added for spring5 mvc --> <beans:bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping"> <property name="useDefaultSuffixPattern" value="false" /> </beans:bean> <beans:bean class="org.springframework.web.servlet.mvc.annotation.Request MappingHandlerMapping" /> <!-- JSP --> <beans:bean id="jspViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> <property name="prefix" value="/views/" /> <property name="suffix" value=".jsp" /> </beans:bean>           <!-- Annotation are configuring the application -->     <mvc:annotation-driven/>   <!-- Resource --> <- <mvc:resources mapping="/resources/*** location="/resources/" />--> <resources mapping="/resources/*** location="/resources/" /> <!-- DB --> <beans:bean id="vampjdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate"> <property name="dataSource" ref="dataSource" /> </beans:bean> <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean"> <property name="jndiName"> <value>jdbc/vampDS</value> </property> </beans:bean> <tx:annotation-driven transaction-manager="transactionManager" /> <beans:bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager" scope="singleton"> <property name="dataSource" ref="dataSource" /> </beans:bean> </beans>

spring-security
<http pattern="/resources/**" security="none" /> <http entry-point-ref="loginUrlAuthenticationEntryPoint" use-expressions="true"> <intercept-url pattern="/web/**" access="permitAll" /> <intercept-url pattern="/j_spring security_check" access="isAnonymous()" /> <access-denied-handler error-page="/web/Index.html" /> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencySesFilter" /> <custom-filter position="FORM_LOGIN_FILTER" ref="FormFilter"/> <custom-filter position="LAST" ref="appFilter" /> <session-management session-authentication strategy-ref="comsess" invalid-session-url="/web/Sessioninvalid.html" /> </http>       <!-- Scan this package for all config annotations -->    <context:component-scan base-package="com.books" />        <http use-expressions="true" auto-config="false" entry-point-ref="httpEntryPoint">        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />        <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />    <http>    <bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">        <property name="principalRequestHeader" value="SM_USER"/>        <property name="authenticationManager" ref="authenticationManager" />    </bean>        <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">        <property name="preAuthenticatedUserDetailsService">            <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">                <property name="userDetailsService" ref="customUserDetailsService"/>            </bean>        </property>    </bean>    <security:authentication-manager alias="authenticationManager">        <security:authentication-provider ref="preauthAuthProvider" />    </security:authentication-manager>            <beans:bean id="customUserDetailsService" class="com.books.security.CustomUserDetailsService"></bean>    <beans:bean id="httpEntryPoint" class="org.springframework.security.web.authentication.HttpForbiddenEntryPoint"></bean> </beans:bean>    <beans:bean id="redirectSessionInformationExpiredStrategy" class="org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy">       <beans:constructor-arg name="invalidSessionUrl" value="http://login.boshiftdev.com/app/ui/login.jsp" />    </beans:bean>    <beans:bean id="concurrencySesFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:constructor-arg name="sessionInformationExpiredStrategy" ref="redirectSessionInformationExpiredStrategy" />    </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />    <beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:constructor-arg name="loginFormUrl" value="/web/Index.html" />    </beans:bean> <beans:bean id="comsess" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <beans:constructor-arg> <beans:list> <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> <beans:constructor-arg ref="sessionRegistry"/> <beans:property name="maximumSessions" value="1" /> <beans:property name="exceptionIfMaximumExceeded" value="false" /> </beans:bean> <beans:bean class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> </beans:bean> <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> <beans:constructor-arg ref="sessionRegistry"/> </beans:beans> </beans:list> </beans:constructor-arg> </beans:beans>

Where are you getting the CORS error exactly? That is for asynchronous requests, not browser navigation.

1) I have a logout link in my application, while clicking on the logout link, page redirect to logout without any issues.

2) When there is no user intervention on the application for 20 minutes, the session expires and while clicking on any of the links, it is not redirecting to logout page and here I see the CORS error message (in the browser developer tools).

3) I also have a popup window (AngularJS code) for the session time extension having Continue and Exit button. If I click on the Exit button, it is not redirecting to logout page. Here too I see the same CORS error message.

The Application and Logout page are two different domain URLs. In this application, we use SSO for login and logout.

If you are using JSP for the front end it would be easier to handle the redirects on the backend