CORS Origin Spring Boot Jhipster - pre-flight fail

I am using jhipster v2.27.2 I have enabled cors by uncommenting the lines in the application.yml

    corePoolSize: 2
    maxPoolSize: 50
    queueCapacity: 10000

cors: #By default CORS are not enabled. Uncomment to enable.
    allowed-origins: "*"
    allowed-methods: GET, PUT, POST, DELETE, OPTIONS
    allowed-headers: "*"
    allow-credentials: true
    max-age: 1800

In the "WebConfigurer"

    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = props.getCors();
        if (config.getAllowedOrigins() != null && !config.getAllowedOrigins().isEmpty()) {
            source.registerCorsConfiguration("/api/**", config);
            source.registerCorsConfiguration("/v2/api-docs", config);
            source.registerCorsConfiguration("/oauth/**", config);
        return new CorsFilter(source);

But still when I request for the access token, I see this error

http://localhost:8080/oauth/token?username=admin&password=admin&grant_type=password&scope=read. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9090' is therefore not allowed access. The response had HTTP status code 401.


Looks like in the default SecurityConfiguration, its not skipping security check for OPTIONS.

Try adding the following antMatcher to the protected void configure(HttpSecurity http) method in

.antMatchers(org.springframework.http.HttpMethod.OPTIONS, "/api/**").permitAll()


sometimes this issue will come if you forget to register cors on specified URLs.In WebConfigurer look for corsFilter and and add these line

 log.debug("Registering CORS filter");
        source.registerCorsConfiguration("/api/**", config);


Another option in the Instead of using antMatcher within the configure(HttpSecurity) override, is to add it within the configure(WebSecurity) override...

public void configure(WebSecurity web) throws Exception {
        .antMatchers(HttpMethod.OPTIONS, "/**")