1

I have an authenticate API on springboot server. When I call the API from POSTMAN, the userDetails object is not null and I get success on client side. However when I do from reactJS userDetails object is null and server returns 500 with msg Response for preflight does not have HTTP ok status.

Could someone help me explain why its successful in POSTMAN and not in javascript?

Code in ReactJS 

var data = {
        "password":"password",
        "username":"uname"
 }

fetch("https://ipaddress:port/module/authenticate", {  
    method: "POST",  
    headers: {  
      "Content-Type": "application/json"
    },  
    body: JSON.stringify(data)  
 }).then(response => {  
...  
    })
    .catch((e) => {  
...  
    })

Code in springboot

@PostMapping(value = "/module/authenticate ")  
@ResponseBody  
public ResponseEntity<String> authenticate(@RequestAttribute UserDetails userDetails) throws Exception {  
...  
}

public class UserDetails {

// The username for the logging in user.
private String username;
// The password for the user.
private String password;

public String getUsername() {
    return username;
}

public void setUsername(String username) {
    this.username = username;
}

public String getPassword() {
    return password;
}

public void setPassword(String password) {
    this.password = password;
}

}

Found Reason for POST man not failing
Post man doesn't do an OPTIONS call before the POST API hence, it'll not fail. However the fetch call does OPTIONS check first for cors access, and it needs to be handled by spring security. Reference: Why is an OPTIONS request sent and can I disable it?

A work around could be to set content type as plain/text

arjun
  • 61
  • 1
  • 3
  • show `UserDetails` class – user7294900 Oct 08 '18 at 11:17
  • How is the request attribute added to the request. There must be some filter doing the parsing of the request and place. Unless you want to use binding then you should be using `@RequestBody` instead of `@RequestAttribtue`. – M. Deinum Oct 08 '18 at 11:21
  • Use `@RequestBody` and object name from react must be `userDetails` instead of data. – Sumesh TG Oct 08 '18 at 11:22
  • I need to use `@RequestAttribute` instead of `@RequestBody` else spring-security filter will fail. – arjun Oct 08 '18 at 11:35
  • Why on earth would the Spring Security filter fail if you change the, downstream, controller. That doesn't make sense... Also my guess is that you simply used the wrong `UserDetails` in the controller, the one from Spring Security instead of your own. Also if you use Spring Security why are you trying to work around it (at least that what it appears to be). – M. Deinum Oct 08 '18 at 11:47
  • Possible duplicate of [CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource](https://stackoverflow.com/questions/42016126/cors-issue-no-access-control-allow-origin-header-is-present-on-the-requested) – dur Oct 08 '18 at 17:18
  • I'm glad you found a solution to your problem. You should create your own Answer with the code you used to solve your problem, then accept it (the system may require a 48 hour delay prior to accepting your own answer). When you have solved the problem yourself, [answering your own question is encouraged](//stackoverflow.com/help/self-answer). However, be sure your question contains enough information so that it's possible for anyone to be able to determine your answer actually is the solution (i.e. not just because you say it is). – Makyen Oct 09 '18 at 23:28
  • the issue looks more to be more related to usage of APIs and OAuth2.0 implementation. There'll be an API exposed which accepts the `@RequestBody` and this controller shall call another backend controller and pass on `@RequestAttribute`. Will post if this works. – arjun Oct 13 '18 at 11:38

1 Answers1

0

There is no need for workaround to handle pre-flight request

configure it correctly in your spring security

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AppSecurityAdapter extends WebSecurityConfigurerAdapter {

//... other configuration here

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, "/**")
ValerioMC
  • 2,261
  • 9
  • 16
  • I did the same taking reference from https://stackoverflow.com/questions/52181131/spring-boot-response-for-preflight-does-not-have-http-ok-status – arjun Oct 08 '18 at 12:20
  • `configure(HttpSecurity http)` is different from `configure(WebSecurity web)` – ValerioMC Oct 08 '18 at 12:28