Camunda CORS Filter in Spring Boot Application


i have a ReactJS Client that tries to send a POST Request to my Camunda Engine. Whenever i submit my form i get following error:

Failed to load http://localhost:8080/rest/process-definition/key/TestBuildPipeline/submit-form: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:3000’ is therefore not allowed access. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I tried with this solution, adding this Method to my Application Class image

Then i got GET Requests to my Spring Boot Application to work. Still Camunda REST Engine is not working. After lot of research i didnt found any solution. Btw Postman does work.

I tried with the web.xml (like here) but i dont know where to put it… Right now i created the folder “src/main/webapp/WEB-INF” and put it there, but it doesnt seem to get processed. The other solution with the nginx proxy is way too much for my needs.

My Camunda Engine is running as a Spring Boot Application, i start it using Maven and i think Tomcat is deploying the server.

Someone know how to get the Problem fixed?

Did you get it working? I am facing the same issue as my own controllers are allowing CORS but the Camunda REST endpoints fail

Not yet i will post here if i find a solution. I use Chrome with Web Security disabled for now.

According to docs:

Two methods available:

  • set via Spring Common Application Properties: endpoints.cors.allowed-origins=*
  • set by extending CamundaJerseyResourceConfig and registering a CorsRegistry:
    protected void registerAdditionalResources() {
        CorsRegistry registry = new CorsRegistry();

I’ve tried both methods but can’t seem to get it working

1 Like

Try this configuration bean:

CorsConfigurationSource corsConfigurationSource() {
	CorsConfiguration configuration = new CorsConfiguration();
	UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
	source.registerCorsConfiguration("/**", configuration);
	return source;

We are using Spring Security, it is in our security configuration class, but it should work in any
class annotaded with @Configuration.

1 Like

Thanks a lot for sharing your code, it worked for me! Have a great day


See !

For me your solution worked too, the same:

public WebMvcConfigurer corsConfigurer() {
	return new WebMvcConfigurerAdapter() {
		public void addCorsMappings(CorsRegistry registry) {
					.allowedMethods("POST", "GET", "PUT", "DELETE", "HEAD")

As described in -
section ‘Global CORS configuration’.

None of the above seemed to work for me, but finally got it working with:

    public FilterRegistrationBean processCorsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        source.registerCorsConfiguration("/**", config);

        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        return bean;

Note that the Spring docs say to use method name corsFilter, but this results in an error:
Bean named 'corsFilter' is expected to be of type 'org.springframework.web.filter.CorsFilter'.
Renaming the method to processCorsFilter did the trick.


@pieter You are the one.

For me it also worked only with solution from @pieter.

I got it working using JerseyConfig. Based on this answer and Camunda docs, I put the following in ./config/

public class JerseyConfig extends CamundaJerseyResourceConfig {

  public JerseyConfig() {
    //other registrations

class CORSResponseFilter implements ContainerResponseFilter {
  public void filter(ContainerRequestContext  requestContext,ContainerResponseContext responseContext)
    throws IOException {

       MultivaluedMap<String, Object> headers = responseContext.getHeaders();

       headers.add("Access-Control-Allow-Origin", "*");
       //headers.add("Access-Control-Allow-Origin", ""); //allows CORS requests only coming from
       headers.add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT");
       headers.add("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-Codingpedia");