How to alter allowed headers in Spring Boot

Question

I\'m currently using Auth0 (and an Angular 2 GUI), which sends a header of the type \"x-xsrf-token\" in the request to a Spring Boot API.

I get the error:

Answer 1

try,

@Bean
    public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new     UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");

        config.addAllowedHeader("*");       
        config.addAllowedMethod("*");        
        source.registerCorsConfiguration("/**", config);



        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;


    }

https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

Answer 2

Believe this is already under discussion on the issue you posted here but thought it worth replying on SOF since you have raised the question here too.

What you can do, is modify your AppConfig to override the CORS Filter setting from the default library config with your own updated CORS Filter implementation

I think in your case, this might be just appending x-xsrf-token to this line:

response.setHeader("Access-Control-Allow-Headers", "Authorization, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
                "Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");

However, as i have stated in the github issue (linked above), if you send me your HAR file I can verify this is definitely the case and provides a working solution for you.

Answer 3

Ultimately I solved this myself. I removed this dependency here in the pom.xml file:

<dependency>
            <groupId>com.auth0</groupId>
            <artifactId>auth0-spring-security-api</artifactId>
            <version>0.3.1</version>
</dependency> 

because it is an open source project on github, here https://github.com/auth0/auth0-spring-security-api. I added the source code to my project in its own package, and added its dependencies to my pom.xml file. Then I changed the doFilter method in the Auth0CORSFilter to include my x-xsrf-token:

@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain) throws IOException, ServletException {
    final HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "Authorization, x-xsrf-token, Access-Control-Allow-Headers, Origin, Accept, X-Requested-With, " +
            "Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
    chain.doFilter(req, res);
}

Unfortunately, I now won't be able to switch versions as easily if I need to, I also have a slightly more cluttered codebase, however as I am new to Spring this was far easier than spending hours trying to override the Auth0CORSFilter Bean, if that was ever possible.