CORS issue after upgrading to 6.3

Since upgrading to 6.3 I’m having issues with CORS. I’ve tried adding @CrossOrigin(origins = “*”) directly above the @GetMapping in the controller. I’ve also tried adding
<mvc:mapping path="/rest/**"/>
to the new rest-dispatcher-spring.xml file
I can’t seem to get it to allow the cross domain sharing.

Any ideas?

ok after a little more digging, it seems it has something to do with me trying to add the ‘Authorization’ header with the Bearer (access_token). I add this to my request header when making the call from my angular 2 app.

If I just call it without adding that to the headers, then I can see the cross origin headers return, but I receive an unauthorized error.

Not sure why me adding a request header changes the way the response headers get added…

any help would be appreciated.

Basically if I call
http.get(url, new RequestOptions({body: ‘’, headers: newHeaders})

newHeaders = ‘Content-Type’: ‘application/json’

I receive a 401 unauthorized, with the following request/response headers when I inspect using chrome:

Request URL:
Request Method:GET
Status Code:401 Unauthorized
Remote Address:
Response Headers
view source
Date:Thu, 10 Nov 2016 06:25:01 GMT
WWW-Authenticate:Bearer realm=“rest-api”, error=“unauthorized”, error_description="Full authentication is required to access this resource"
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept-Encoding:gzip, deflate, sdch
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

If I simply append this
headers.append(‘Authorization’, Bearer ${accessToken});
to headers I then receive the cors error and the request and response headers look like this:

Request URL:
Request Method:OPTIONS
Status Code:403 Forbidden
Remote Address:
Response Headers
view source
Date:Thu, 10 Nov 2016 06:18:05 GMT
Request Headers
view source
Accept-Encoding:gzip, deflate, sdch
Access-Control-Request-Headers:authorization, content-type
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Is there a better or preferred way to pass along the Authorization header than simply adding it to the headers? If I take the exact access_token I receive and run it through postman. I get the desired json results.

An access token can also be passed as a query parameter with a name access_token. You can find an example here:

Can you please create and attach a small sample project that reproduces the issue? We need a CUBA project with one custom controller and a small client app that requests the REST API. That will help us to investigate your problem.

I’ve tried this solution, but then I get a 404 error.

BTW this is calling a custom controller off the /rest dispatcher, not in the v2 path of your new rest api version 2

So I guess I’d need to have each endpoint know to look for the access_token parameter?

No because it wouldn’t even let me to the endpoint unless I’m authenticated. Can you provide the filter that you use to handle the access_token as a parameter that will pass the authentication test? I’m assuming something would have to read the access_token and then strip it off, then forward on to the original endpoint.

In case I can’t get this to work correctly, what’s the trick to just allow anonymous user for now? I’ve tried to set the property to true, but it still gives a unauthorized error.

I’ve tried adding: = true;
to the
but as I step through the debug it still returns false in the CubaAnonymousAuthenticationFilter

Is there somewhere else that I should set it?

OK, I think I figured out the anonymous issue. I added the property to a file in the web-inf folder.

Here is a configuration from the documentation:

    <security:http pattern="/rest/myapi/**"
        <!-- Specify one or more protected URL patterns-->
        <intercept-url pattern="/rest/myapi/**" access="isAuthenticated()"/>
        <anonymous enabled="false"/>
        <csrf disabled="true"/>
        <cors configuration-source-ref="cuba_RestCorsSource"/>
        <custom-filter ref="resourceFilter" before="PRE_AUTH_FILTER"/>
        <custom-filter ref="cuba_AnonymousAuthenticationFilter" after="PRE_AUTH_FILTER"/>

resourceFilter here is the one that performs authentication check. The java class is OAuth2AuthenticationProcessingFilter.

Hi all, I have a similar problem. I implemented a custom controller to download pdf files from specific filesystem path, I tested it using oauth2 authentication (in a Browser) and now I’m trying to load pdf from polymer client using telecomsante pdf-viever (
Problem is cors configuration in custom controller. Where can I find more information about

<cors configuration-source-ref="cuba_RestCorsSource"/>  <<-------- What is this? A Spring Security filter in Cuba Framework that I want modify via XML configuration

in security section above.

I get is cors related errors, when testing with polymer serve which works on a different TCP port with respect to cuba platform WEB module (which is serving also rest in my case)

Bloccata richiesta multiorigine (cross-origin): il criterio di corrispondenza dell’origine non consente la lettura della risorsa remota da Motivo: header CORS “Access-Control-Allow-Origin” mancante.
(error in Italian in Firefox Developer tools)
Controller configuration is similar to the one included above.

Thanks in advance,