I have CORS set up in a SecurityFilterChain to accept a list of origins, like this:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityChain {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(
(authorizeRequests) -> authorizeRequests.requestMatchers(HttpMethod.GET, "/**").permitAll()
.requestMatchers(HttpMethod.POST, "/**").permitAll()
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.requestMatchers(HttpMethod.HEAD, "/**").permitAll())
.cors((cors) -> cors
.configurationSource(configureCors()));
return http.build();
}
CorsConfigurationSource configureCors() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(Arrays.asList("origin1", "origin2"));
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "HEAD"));
configuration.setAllowedHeaders(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
The request mappings are also annotated with @CrossOrigin with the same list of origins.
I want to be able to modify the ServletResponse when a request origin is rejected (by adding a unique response header). I have tried doing so in a Filter implementation, but if the origin is rejected the request won't reach the Filter code.
How can I modify the response when the filter chain rejects a cross-origin request?
When a provided @annotation is used, it is a little bit complicated to use custom filters. Spring boot is jealous owner of the entire http pipeline.
Here a few options intercept the response and add whatever you want to the response instance
With this two annotation I was able to catch the final response and add my custom headers
package org.jrichardsz.acme.filters;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
@Component
@Order(1)
public class ResponseHeaderFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse) response;
res.addHeader("x-foo-response", "bar-value");
chain.doFilter(request, response);
}
}
Lectures:
If the #1 did not work, remove all the @Cors and create your own cors filter
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
System.out.println("CORSFilter HTTP Request: " + request.getMethod());
// Authorize (allow) all domains to consume the content
((HttpServletResponse) servletResponse).addHeader("Access-Control-Allow-Origin", "*");
((HttpServletResponse) servletResponse).addHeader("Access-Control-Allow-Methods","GET, OPTIONS, HEAD, PUT, POST");
HttpServletResponse resp = (HttpServletResponse) servletResponse;
// For HTTP OPTIONS verb/method reply with ACCEPTED status code -- per CORS handshake
if (request.getMethod().equals("OPTIONS")) {
resp.setStatus(HttpServletResponse.SC_ACCEPTED);
return;
}
// pass the request along the filter chain
chain.doFilter(request, servletResponse);
}
Source: https://howtodoinjava.com/java/servlets/java-cors-filter-example/
Lectures: