Spring MVC: How to Handle CORS implementing Secure JWT Authentication in a Custom Filter?
I recently switched to I'm experimenting with I've hit a wall trying to I'm testing a new approach and I'm building a feature where I'm developing a Spring MVC application that uses JWT for authentication and I've set up a custom filter to validate tokens. However, I'm running into CORS (Cross-Origin Resource Sharing) issues when making requests from my frontend application running on a different domain. When I try to make a `POST` request, I receive the following behavior in the browser console: ``` Access-Control-Allow-Origin: http://localhost:3000 has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. ``` I've tried adding a CORS mapping in my Spring configuration but it doesn't seem to work as expected. Hereβs the part of my Spring configuration: ```java import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Configuration public class WebConfig implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("http://localhost:3000") .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS") .allowCredentials(true); } } ``` I also included the necessary CORS headers in my filter like this: ```java import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; @Component public class JwtAuthenticationFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.setHeader("Access-Control-Allow-Origin", "http://localhost:3000"); httpResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); httpResponse.setHeader("Access-Control-Allow-Headers", "Authorization, Content-Type"); chain.doFilter(request, response); } } ``` Still, the CORS behavior continues and it seems like the preflight `OPTIONS` request is not getting the correct headers. Iβve verified that the JWT filter is being applied, but I suspect there might be an scenario with how the Spring security is configured or the order of the filters. My Security configuration is as follows: ```java import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.cors().and().csrf().disable() .authorizeRequests() .antMatchers("/api/auth/**").permitAll() .anyRequest().authenticated(); } } ``` Can anyone guide to figure out why my CORS headers are not being applied and how I can resolve these CORS issues while keeping my JWT authentication intact? I'm working on a application that needs to handle this. Any examples would be super helpful. This is for a REST API running on Debian. I'd love to hear your thoughts on this. Cheers for any assistance!