Invalid cors request with SpringBoot and Angular

Question

I know that this question has already been posted many times. But i'm not able to get it works. It is working on localhost, but not when deploying the app..

The problem is that i'm getting invalid cors request, but all the necessary is configured on spring side.. I really don't understand what's happening..

localhost conf proxy (working) :

{
  "/projet": {
    "target": "http://localhost:8080/api/v1",
    "pathRewrite": {"^/projet" : ""},
    "secure": false
  }
}

Deploying the app (proxy):

ProxyTimeout 120
ProxyRequests Off
ProxyPreserveHost Off
ProxyPass        /projet http://projet:8080/api/v1
ProxyPassReverse /projet http://projet:8080/api/v1

Http infos:

Host: projets.domain.fr
Origin: https://projets.domain.fr
Referer: https://projets.domain.fr/auth/login

Reponse : 403

Invalid CORS request

Spring Controller :

@RestController
@RequestMapping("/api/v1")
@CrossOrigin()
@Tag(name = "EndPoint : ", description = "Authentification")
public class AuthentificationEndpoint {

    @Autowired
    private IAuthentificationService iAuthentificationService;

    @PostMapping(value = "/authenticate", consumes = APPLICATION_JSON_VALUE, produces = APPLICATION_JSON_VALUE)
    @ResponseStatus(HttpStatus.OK)
    public JwtModelDTO authenticate(@Valid @RequestBody UserAuthentificationDTO userAuth) {
        return iAuthentificationService.authenticate(userAuth.getEmail(), userAuth.getPassword());
    }

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@RequiredArgsConstructor
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  ...

  @Bean
  protected Filter corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedHeader("*");
    config.addAllowedMethod("OPTIONS");
    config.addAllowedMethod("HEAD");
    config.addAllowedMethod("GET");
    config.addAllowedMethod("PUT");
    config.addAllowedMethod("POST");
    config.addAllowedMethod("DELETE");
    config.addAllowedMethod("PATCH");
    config.addExposedHeader("Location");

    source.registerCorsConfiguration("/**", config);

    return new CorsFilter(source);
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(corsFilter(), ChannelProcessingFilter.class);
    http.csrf().disable();
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http.authorizeRequests()
        .antMatchers("/actuator/**").permitAll()
        .antMatchers("/api/v1/authenticate").permitAll()
        .antMatchers("/api/v1/authenticate/service").permitAll()
        .antMatchers("/api/v1/evict-cache").permitAll()
        .antMatchers("/v3/api-docs/**").permitAll()
        .antMatchers("/swagger-resources/**").permitAll()
        .antMatchers("/swagger-ui/**").permitAll()
        .antMatchers("/swagger-ui.html").permitAll()
        // .antMatchers("/api/v1/signup").permitAll()
        .anyRequest().authenticated();
    http.apply(new JwtTokenFilterConfigurer(jwtTokenProvider));
  }
....

}

Answer 1

Update your @CrossOrigin(origin="*")

Answer 2

Problem was caused by the "Preserve Host: Off" in apache configuration