generator-jhipster: CORS not working properly

Hi,

I am using jhipster for only server side code generation. I separate server and client projects. Front end project is build by grunt. When i run “grunt serve”, it opens the url as localhost:9000 and the backend resources are located at localhost:8080. The below scenarios are tried in login page. I use spring security configuration which is configured by jhipster.

There are 2 scenarios that I tried.

1. If I do not modify anything(I mean I do not add any code, or modify configuration files for CORS support) it throws the error below:

XMLHttpRequest cannot load http://localhost:8080/api/authentication?cacheBuster=1472210597486. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access. The response had HTTP status code 403.

When I look at network logs of the browser, i see that it only tries OPTIONS method.

2. If I uncomment the CORS part of application.yml, this time it throws the same error but there are two network access attempts in the log.

  • OPTIONS request is success. And these headers are added to response headers: Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:authorization Access-Control-Allow-Methods:GET,PUT,POST,DELETE,OPTIONS Access-Control-Allow-Origin:http://localhost:9000 Access-Control-Max-Age:1800
  • POST request failed with code 403. The response headers do not includes Access-Control- Allow-* headers. All the response headers are: Cache-Control:no-cache, no-store, max-age=0, must-revalidate Content-Type:application/json;charset=UTF-8 Date:Fri, 26 Aug 2016 11:29:30 GMT Expires:0 Pragma:no-cache Server:Apache-Coyote/1.1 Set-Cookie:JSESSIONID=8232A843BDC6F30EF40F863A2CBB919D; Path=/; HttpOnly Set-Cookie:CSRF-TOKEN=“”; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-XSS-Protection:1; mode=block

So i couldn’t understand, although the OPTIONS request is succeeded and the “Access-Control-Allow-Origin” header is added, but POST request got 403 without the “Access-Control-Allow-Origin” header.

My configuration is as follow :

jhipsterVersion: “3.5.1” java version “1.8.0_25” git version 2.6.4 (Apple Git-63) node: v5.5.0 npm: 3.3.12 bower: 1.7.9 gulp: CLI version 3.9.1 Local version 3.9.1 yeoman: 1.8.4

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 20 (11 by maintainers)

Most upvoted comments

Shouldn’t there be CORS headers, also for 401 responses (e.g. when the token has expired and needs to be refreshed)?

screen shot 2016-08-26 at 16 02 24

+1
abuechler on Aug 26, 2016
Read more comments on GitHub
← generator-jhipster: constraint [pk_jhi_persistent_audit_event] violation;
generator-jhipster: Couchbase tests are failing →