quarkus: CORS not working correctly

Describe the bug I have a simple REST interface that needs to be accessed by a SPA which is failing because of CORS. I checked again and tried to call my interface via POSTMAN and I do not see any cors headers.

quarkus.http.cors=true
quarkus.http.cors.origins=http://localhost:8080
quarkus.http.cors.headers=accept, origin, authorization, content-type, x-requested-with
quarkus.http.cors.methods=GET,POST,OPTIONS

However if I implement the JAX-RS filter the cors header is showing up. Is there a known BUG or could anybody confirm with version 0.21?

@Provider
public class CORSFilter implements ContainerResponseFilter {

    // Logger
    private final Logger log = LoggerFactory.getLogger(CORSFilter.class);

    @Override
    public void filter(final ContainerRequestContext requestContext,
                       final ContainerResponseContext cres) throws IOException {
        cres.getHeaders().add("Access-Control-Allow-Origin","http://localhost:8080");
        cres.getHeaders().add("Access-Control-Allow-Headers", "accept, origin, authorization, content-type, x-requested-with");
        cres.getHeaders().add("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
        cres.getHeaders().add("Access-Control-Max-Age", "1209600");
    }

}

UPDATE: I figured out that if I set the quarkus.http.cors, the headers for the method OPTIONS are correctly set however the actual “POST” call will cause the following error (this does not happen by setting the JAX-RS header which should be not necessary):

Access to XMLHttpRequest at 'https://DOMAIN/PATH' from origin 'https://DOMAIN' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 8
Comments: 23 (15 by maintainers)

Most upvoted comments

I’m seeing this error on 0.22. I can’t upgrade right now, but if you get here through Google, that’s what saved my life for a simple demo using this thread as a reference:

application.properties:

quarkus.http.cors=true

The custom CORSFilter:

@Provider
public class CORSFilter implements ContainerResponseFilter {

    private static final Logger LOGGER = LoggerFactory.getLogger(CORSFilter.class);

    public CORSFilter() {}

    @Override
    public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) throws IOException {
        LOGGER.debug("Modifing response with CORSFIlter: {}", responseContext.getHeaders());
        MultivaluedMap<String, Object> headers = responseContext.getHeaders();
        headers.putSingle("Access-Control-Allow-Origin", "*");
        LOGGER.debug("Modified to add the required header: {}", responseContext.getHeaders());
    }
}

Then the POST method has the required header:

HTTP/1.1 200 OK
Connection: keep-alive
Access-Control-Allow-Origin: *
Content-Type: application/json
Content-Length: 121
Date: Fri, 04 Oct 2019 23:22:05 GMT

The OPTIONS response header is correct:

HTTP/1.1 200 OK
Connection: keep-alive
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Credentials: true
Transfer-Encoding: chunked
Access-Control-Allow-Methods: POST
Date: Fri, 04 Oct 2019 23:22:05 GMT

If you guys fixed this in the newer versions, that’s great news, because it’s a super common use case for front end developers that are keen to implement backend services with Quarkus.

ricardozanini on Oct 4, 2019

We really need to get to the bottom of this.

gsmet on Oct 23, 2019

@Manu206 any chance you could provide a sample application so that we could see what’s not working correctly?

gsmet on Oct 23, 2019

I’m testing CORS using http://www.test-cors.org on Quarkus 0.23.2 and also the latest master branch, with this config file:

quarkus.http.cors=true
quarkus.http.cors.origins=http://www.test-cors.org
quarkus.http.cors.headers=accept,authorization,content-type,x-requested-with,x-foobar
quarkus.http.cors.methods=GET,POST,PUT

It seems to work just fine.

Ladicek on Oct 8, 2019