Camunda CORS Filter in Spring Boot Application

Hi,

i have a ReactJS Client that tries to send a POST Request to my Camunda Engine. Whenever i submit my form i get following error:

Failed to load http://localhost:8080/rest/process-definition/key/TestBuildPipeline/submit-form: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:3000’ is therefore not allowed access. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I tried with this solution, adding this Method to my Application Class image

Then i got GET Requests to my Spring Boot Application to work. Still Camunda REST Engine is not working. After lot of research i didnt found any solution. Btw Postman does work.

I tried with the web.xml (like here) but i dont know where to put it… Right now i created the folder “src/main/webapp/WEB-INF” and put it there, but it doesnt seem to get processed. The other solution with the nginx proxy is way too much for my needs.

My Camunda Engine is running as a Spring Boot Application, i start it using Maven and i think Tomcat is deploying the server.

#up
Someone know how to get the Problem fixed?

Did you get it working? I am facing the same issue as my own controllers are allowing CORS but the Camunda REST endpoints fail

Not yet i will post here if i find a solution. I use Chrome with Web Security disabled for now.

According to docs: https://docs.camunda.org/manual/latest/user-guide/spring-boot-integration/rest-api/

Two methods available:

  • set via Spring Common Application Properties: endpoints.cors.allowed-origins=*
  • set by extending CamundaJerseyResourceConfig and registering a CorsRegistry:
    @Override
    protected void registerAdditionalResources() {
        CorsRegistry registry = new CorsRegistry();
        registry.addMapping("/**")
                .allowedOrigins("http://localhost:3000")
                .allowedHeaders("*")
                .allowedMethods("*");
        register(registry);
    }

I’ve tried both methods but can’t seem to get it working

1 Like

Try this configuration bean:

@Bean
CorsConfigurationSource corsConfigurationSource() {
	CorsConfiguration configuration = new CorsConfiguration();
	configuration.setAllowCredentials(true);
	configuration.addAllowedOrigin("*");
	configuration.addAllowedHeader("*");
	configuration.addAllowedMethod("*");
	UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
	source.registerCorsConfiguration("/**", configuration);
	return source;
}

We are using Spring Security, it is in our security configuration class, but it should work in any
class annotaded with @Configuration.

1 Like

Thanks a lot for sharing your code, it worked for me! Have a great day

Thanks!

See https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors !

For me your solution worked too, the same:

@Bean
public WebMvcConfigurer corsConfigurer() {
	return new WebMvcConfigurerAdapter() {
		@Override
		public void addCorsMappings(CorsRegistry registry) {
			registry.addMapping("/**")
					.allowedMethods("POST", "GET", "PUT", "DELETE", "HEAD")
					.allowedOrigins("*")
					.allowCredentials(false);
		}
	};
}

As described in https://spring.io/guides/gs/rest-service-cors/ -
section ‘Global CORS configuration’.

None of the above seemed to work for me, but finally got it working with:

    @Bean
    public FilterRegistrationBean processCorsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");
        source.registerCorsConfiguration("/**", config);

        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;
    }

Note that the Spring docs say to use method name corsFilter, but this results in an error:
Bean named 'corsFilter' is expected to be of type 'org.springframework.web.filter.CorsFilter'.
Renaming the method to processCorsFilter did the trick.

14 Likes

@pieter You are the one.

For me it also worked only with solution from @pieter.

I got it working using JerseyConfig. Based on this answer and Camunda docs, I put the following in ./config/JerseyConfig.java:

@Component
@ApplicationPath("/engine-rest")
public class JerseyConfig extends CamundaJerseyResourceConfig {

  public JerseyConfig() {
    register(CORSResponseFilter.class);
    //other registrations
  }
}

class CORSResponseFilter implements ContainerResponseFilter {
  public void filter(ContainerRequestContext  requestContext,ContainerResponseContext responseContext)
    throws IOException {

       MultivaluedMap<String, Object> headers = responseContext.getHeaders();

       headers.add("Access-Control-Allow-Origin", "*");
       //headers.add("Access-Control-Allow-Origin", "http://abcd.org"); //allows CORS requests only coming from abcd.org
       headers.add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT");
       headers.add("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-Codingpedia");
   }
}