pagekit / vue-resource

The HTTP client for Vue.js
MIT License
10.09k stars 1.6k forks source link

Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response. #691

Open HalgoBZZ opened 6 years ago

HalgoBZZ commented 6 years ago

hello it's very urgent please if someone can help me I have a problem of consumption of a java web service type DELETE. I do not know what the problem is exactly. I used the JWT and spring security to secure my application spring boot side back (java) and when I try to call a service type GET or POST it works well but when I call a service DELETE it makes me "DELETE Method is not allowed by Access Control-Allow-Methods in preflight response."

the error: Failed to load http://localhost:8080/releveurs/delete/5: Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response. core.js:1448 ERROR

response: Request URL: http://localhost:8080/releveurs/delete/5 Request Method: OPTIONS Status Code: 200 Remote Address: [::1]:8080 Referrer Policy: no-referrer-when-downgrade Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Methods, Access-Control-Request-Headers,Authorization Access-Control-Allow-Origin: Access-Control-Expose-Headers: Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Authorization Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Thu, 10 May 2018 14:02:16 GMT Expires: 0 Pragma: no-cache X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Accept: /* Accept-Encoding: gzip, deflate, br Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,nl;q=0.6 Access-Control-Request-Headers: authorization,content-type Access-Control-Request-Method: DELETE Connection: keep-alive Host: localhost:8080 Origin: http://localhost:4200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

my JWT configuration: ``


import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{
    @Autowired
    private UserDetailsService userDetailsService;
    @Autowired
    private BCryptPasswordEncoder bCryptPasswordEncoder;
    @Override
    protected void configure(AuthenticationManagerBuilder auth)throws Exception{
        auth.userDetailsService(userDetailsService)
        .passwordEncoder(bCryptPasswordEncoder);
    }   
    @Override
    protected void configure(HttpSecurity http)throws Exception{
        http.cors().and().csrf().disable().authorizeRequests();
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.authorizeRequests().antMatchers("/login/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.DELETE,"/**").permitAll();
        //http.authorizeRequests().antMatchers(HttpMethod.OPTIONS,"/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/comptes/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/comptes/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/responsables/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/responsables/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.DELETE,"/responsables/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.DELETE,"/releveurs/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/releveurs/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/releveurs/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/planifications/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/planifications/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.DELETE,"/planifications/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/secteurs/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/secteurs/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/tournees/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/tournees/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/releves/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/releves/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/operations/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/operations/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.DELETE,"/operations/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/pdls/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/pdls/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/vocabulaires/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/vocabulaires/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.GET,"/words/**").permitAll();
        http.authorizeRequests().antMatchers(HttpMethod.POST,"/words/**").permitAll();
        http.authorizeRequests().anyRequest().authenticated();
        http.addFilter(new JWTAuthenticationFilter(authenticationManager()));
        http.addFilterBefore(new JWTAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
    }
     @Bean
      CorsConfigurationSource corsConfigurationSource() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/*", new CorsConfiguration().applyPermitDefaultValues());
        return source;
      }
}
fridgerator commented 6 years ago

Sounds like you need to add DELETE to your CORS middleware accepted methods?

I've never used Java, so I don't know the solution. However this is how I would solve in another language / framework