JCH
Java Community | Help. Code. Learn.2y ago
Tomasm21

Java Spring Security Cors error

I'm trying to enable cors between browser and server api because website shows cors error. I try to add further bean: 
// Used by Spring Security if CORS is enabled.
    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source =
            new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }
// Used by Spring Security if CORS is enabled.
    @Bean
    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source =
            new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }
But then I get an error: 
java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value "*" since that cannot be set on the "Access-Control-Allow-Origin" response header. To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.
    at org.springframework.web.cors.CorsConfiguration.validateAllowCredentials(CorsConfiguration.java:516) ~[spring-web-6.0.7.jar:6.0.7]
    at org.springframework.web.cors.CorsConfiguration.checkOrigin(CorsConfiguration.java:620) ~[spring-web-6.0.7.jar:6.0.7]
//...
java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value "*" since that cannot be set on the "Access-Control-Allow-Origin" response header. To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.
    at org.springframework.web.cors.CorsConfiguration.validateAllowCredentials(CorsConfiguration.java:516) ~[spring-web-6.0.7.jar:6.0.7]
    at org.springframework.web.cors.CorsConfiguration.checkOrigin(CorsConfiguration.java:620) ~[spring-web-6.0.7.jar:6.0.7]
//...
How to solve this? Should I remove config.addAllowedOrigin("*"); line? Or should I ask exact url to my UI: "http://localhost:3000/" What if this url will be changed in production?
4 Replies
JavaBot
JavaBot2y ago
This post has been reserved for your question.
Hey @Tomasm21! Please use /close or the Close Post button above when you're finished. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
dan1st
dan1st2y ago
ig you should list all allowed domains with addAllowedOrigin if the domain changes, change it there as well
Tomasm21
Tomasm21OP2y ago
currently this : config.addAllowedOriginPattern("*"); helped instead of config.addAllowedOrigin("*"); but with asterisk any request from any origin can be accepted
JavaBot
JavaBot2y ago
Post Closed
This post has been closed by <@312509109863710732>.
Want results from more Discord servers?
Add your server