Search code examples

Spring Boot Security OAuth Angular Response to preflight request doesn't pass?

A login request from Angular app, to Spring boot OAuth service with following error in web console,

Access to XMLHttpRequest at 'http://localhost:9191/oauth/token' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

here's my angular login method

logIn(u_name: string, password: string): Observable<any> {

    const httpOptions = {
      headers: new HttpHeaders({
        'Authorization': 'Basic ' + btoa('mobile:pin'),
        'Content-type': 'multipart/form-data'

      const requestBody = new HttpParams()
        .set('username', u_name)
        .set('password', password)
        .set('grant_type', 'password');

    return'http://localhost:9191/oauth/token', requestBody, httpOptions );

here's the WebSecurityConfiguration

public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private UserDetailsService userDetailsService;

    private CorsFilter corsFilter;

    protected AuthenticationManager getAuthenticationManager() throws Exception {
        return super.authenticationManagerBean();

    PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();

    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class).authorizeRequests().antMatchers("/oauth/token").permitAll()

     // i already try with this but it also ended up with the same error
      //  http.cors();


CorsFilter configuration class

public class CorsFilter extends OncePerRequestFilter {

    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "authorization, content-type, xsrf-token");
        response.addHeader("Access-Control-Expose-Headers", "xsrf-token");
        if ("OPTIONS".equals(request.getMethod())) {
        } else {
            filterChain.doFilter(request, response);

What im doing wrong here. Thanks in advance.


  • Only specify the origin in the CorsConfigurationSource bean not the whole url as shown in the link