cors java spring spring-boot spring-security

Spring security CORS Filter

We added Spring Security to our existing project.

From this moment on we get a 401 No 'Access-Control-Allow-Origin' header is present on the requested resource error from the our server.

That’s because no Access-Control-Allow-Origin header is attached to the response. To fix this we added our own filter which is in the Filter chain before the logout filter, but the filter does not apply for our requests.

Our Error:

XMLHttpRequest cannot load http://localhost:8080/getKunden. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin http://localhost:3000 is therefore not allowed access. The response had HTTP status code 401.

Our Security configuration:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private MyFilter filter;
public void configure(HttpSecurity http) throws Exception {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
source.registerCorsConfiguration("/**", config);
http.addFilterBefore(new MyFilter(), LogoutFilter.class).authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/*").permitAll();
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

Our filter

public class MyFilter extends OncePerRequestFilter {
public void destroy() {
private String getAllowedDomainsRegex() {
return "individual / customized Regex";
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
final String origin = "http://localhost:3000";
response.addHeader("Access-Control-Allow-Origin", origin);
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS");
response.setHeader("Access-Control-Allow-Credentials", "true");
"content-type, x-gwt-module-base, x-gwt-permutation, clientid, longpush");
filterChain.doFilter(request, response);

Our Application

public class Application {
public static void main(String[] args) {
final ApplicationContext ctx =, args);
final AnnotationConfigApplicationContext annotationConfigApplicationContext = new AnnotationConfigApplicationContext();

Our filter is registered from spring-boot:

2016-11-04 09:19:51.494 INFO 9704 — [ost-startStop-1] o.s.b.w.servlet.FilterRegistrationBean : Mapping filter: ‘myFilter’ to: [/*]

Our generated filterchain:

2016-11-04 09:19:52.729 INFO 9704 — [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: [email protected]1, [org.springframework.secu[email protected]5d8c5a8a, org.spring[email protected]7d6938f, [email protected]9c, [email protected], [email protected], org.[email protected]2330834f, org.sp[email protected]396532d1, org.springframework.[email protected]4fc0f1a2, org.springfram[email protected]2357120f, o[email protected]10867bfb, org[email protected]4b8bf1fb, org.springfr[email protected]42063cf1]

The Response:
Response headers

We tried the solution from spring as well but it didn’t work! The annotation @CrossOrigin in our controller didn’t help either.

Edit 1:

Tried the solution from @Piotr Sołtysiak.
The cors filter isn’t listed in the generated filter chain and we still get the same error.

2016-11-04 10:22:49.881 INFO 8820 — [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: [email protected]1, [org.springframework.secu[email protected]4c191377, org.spring[email protected]28bad32a, [email protected]668, [email protected], org.[email protected]1c9cd096, org.springframework.s[email protected]3990c331, org.springframework.[email protected]1e8d4ac1, org.springfram[email protected]2d61d2a4, org.sp[email protected]380d9a9b, org.springframework.[email protected]abf2de3, org.springfram[email protected]2a5c161b, o[email protected]3c1fd3e5, org[email protected]3d7055ef, org.springfr[email protected]5d27725a]

Btw we are using spring-security version 4.1.3.!