java - Cross-Origin Resource Sharing with Spring Security -


i'm trying make cors play nicely spring security it's not complying. made changes described in this article , changing line in applicationcontext-security.xml has got post , requests working app (temporarily exposes controller methods, can test cors):

  • before: <intercept-url pattern="/**" access="isauthenticated()" />
  • after: <intercept-url pattern="/**" access="permitall" />

unfortunately following url allows spring security logins through ajax isn't responding: http://localhost:8080/mutopia-server/resources/j_spring_security_check. making ajax request http://localhost:80 http://localhost:8080.

in chrome

when attempting access j_spring_security_check (pending) in chrome options preflight request , ajax call returns http status code 0 , message "error".

in firefox

the preflight succeeds http status code 302 , still error callback ajax request directly afterwards http status 0 , message "error".

enter image description here

enter image description here

ajax request code

function get(url, json) {     var args = {         type: 'get',         url: url,         // async: false,         // crossdomain: true,         xhrfields: {             withcredentials: false         },         success: function(response) {             console.debug(url, response);         },         error: function(xhr) {             console.error(url, xhr.status, xhr.statustext);         }     };     if (json) {         args.contenttype = 'application/json'     }     $.ajax(args); }  function post(url, json, data, dataencode) {     var args = {         type: 'post',         url: url,         // async: false,         crossdomain: true,         xhrfields: {             withcredentials: false         },         beforesend: function(xhr){             // added default             // ignoring prevents preflight - expects browser follow 302 location change             xhr.setrequestheader('x-requested-with', 'xmlhttprequest');             xhr.setrequestheader("x-ajax-call", "true");         },         success: function(data, textstatus, xhr) {             // var location = xhr.getresponseheader('location');             console.error('success', url, xhr.getallresponseheaders());         },         error: function(xhr) {             console.error(url, xhr.status, xhr.statustext);             console.error('fail', url, xhr.getallresponseheaders());         }     }     if (json) {         args.contenttype = 'application/json'     }     if (typeof data != 'undefined') {         // send json raw in body         args.data = dataencode ? json.stringify(data) : data;     }     console.debug('args', args);     $.ajax(args); }  var loginjson = {"j_username": "username", "j_password": "password"};  // fails post('http://localhost:8080/mutopia-server/resources/j_spring_security_check', false, loginjson, false);  // works post('http://localhost/mutopia-server/resources/j_spring_security_check', false, loginjson, false);  // works get('http://localhost:8080/mutopia-server/landuses?projectid=6', true);  // works post('http://localhost:8080/mutopia-server/params', true, {     "name": "testing",     "local": false,     "generated": false,     "project": 6 }, true);

please note - can post other url in app via cors except spring security login. i've gone through lots of articles, insight strange issue appreciated :)

i able extending usernamepasswordauthenticationfilter... code in groovy, hope that's ok:

public class corsawareauthenticationfilter extends usernamepasswordauthenticationfilter {     static final string origin = 'origin'      @override     public authentication attemptauthentication(httpservletrequest request, httpservletresponse response){         if (request.getheader(origin)) {             string origin = request.getheader(origin)             response.addheader('access-control-allow-origin', origin)             response.addheader('access-control-allow-methods', 'get, post, put, delete')             response.addheader('access-control-allow-credentials', 'true')             response.addheader('access-control-allow-headers',                     request.getheader('access-control-request-headers'))         }         if (request.method == 'options') {             response.writer.print('ok')             response.writer.flush()             return         }         return super.attemptauthentication(request, response)     } }

the important bits above:

  • only add cors headers response if cors request detected
  • respond pre-flight options request simple non-empty 200 response, contains cors headers.

you need declare bean in spring configuration. there many articles showing how won't copy here.

in own implementation use origin domain whitelist allowing cors internal developer access only. above simplified version of doing may need tweaking should give general idea.


Comments

Post a Comment

Popular posts from this blog

c# - Send Image in Json : 400 Bad request -

from android trying send image class of data, iis webservice. (c#) the problem 400 bad request . the image being encoded base64 . , placed json rest of class elements. my guess base64 not valid inside json. server not understand it. if set string "" , post accepted fine. so question is, how make base64 valid within json array? ( tried url.encode no success). or how should send image android webservice? gson gson = new gson(); string json = gson.tojson(record); // record has param { string base64photo } how big image? i'm pretty sure surpassing iis json size limit (default 4 mb). check http://geekswithblogs.net/frankw/archive/2008/08/05/how-to-configure-maxjsonlength-in-asp.net-ajax-applications.aspx or http://www.webtrenches.com/post.cfm/iis7-file-upload-size-limits good luck!
Read more

jquery - Fancybox - apply a function to several elements -

this source code below posted cristiano g. carvalho in answer question: calling fancybox gallery other link made user. <div class="details_gallery"> <a href="#" class="manualfancybox">manual call fancybox</a> <div class="details_gallery_min"> <a rel="details" href="max/1.jpg" class="fancybox"><img src="min/1.jpg" alt="" /></a> <a rel="details" href="max/2.jpg" class="fancybox"><img src="min/2.jpg" alt="" /></a> <a rel="details" href="max/3.jpg" class="fancybox"><img src="min/3.jpg" alt="" /></a> <a rel="details" href="max/4.jpg" class="fancybox"><img src="min/4.jpg" alt="" /></a> </div> </div> <script> $(document).read
Read more

An easy way to program an Android keyboard layout app -

i program android app replaces standard keyboard 1 one-hand optimized coffee++ keyboard layout. what special problems have face in progress? guess such project go deep android core, cause keyboard such essential thing. is wise start android developer tools (adt)—eclipse plugin described in this tutorial ? or there better way achieve goal? i new android programming, firm in php, mysql , javascript , use eclipse php i guess such project go deep android core, cause keyboard such essential thing. no. can create inputmethodservice implementation of keyboard. there sample soft keyboard in android sdk installation (if chose download sample code sdk manager), , there open source input methods floating around well, such hacker's keyboard. inputmethodservice distributed part of ordinary android application, , user can elect activate input method if user chooses. is wise start android developer tools (adt)—eclipse plugin described in tutorial? that fine s
Read more