1

I have created two api's in my spring mvc project which have identical structure. But while calling using Postman or while hitting the APIs in browser/UI project, one is working without any credential or cookie[SessionId] but another one is not working. Please help. Thanks is advance

code of API which is not working without session/credentials:

@CrossOrigin(origins = "http://123.123.151.123:4201")
    @RequestMapping(value = "/troubleshootingHitRate",method = RequestMethod.GET)
    public ResponseEntity<Map<String, Object>> troubleshootingHitRate(@RequestParam String fromDate,
            @RequestParam String toDate) {

        System.out.println("=== Controller::" + " " + "FromDate::" + fromDate + " " + "ToDate::" + toDate);

        Map<String, Object> failureReport = ssaService.hitRateWithComparison(fromDate, toDate, "failure");
        HttpHeaders headers = new HttpHeaders();
        headers.add("CustomHeader", "Custom-Header");
        return new ResponseEntity<>(failureReport, headers, HttpStatus.OK);
    }

code of API which is working without session/credentials:

    public String report(@PathVariable("envid") int envid, Model model) {
        String report_path = reportPath;
        // System.out.println("Teating"+ report_path);

        report_path = report_path.replace("////", "\\\\\\\\");

        report_path = report_path.replace("/", "\\\\");
        // System.out.println("Teating08"+ report_path);

        List<Result> result = ssaService.getReport(envid + "");
        model.addAttribute("reportPaths", report_path);
        model.addAttribute("report", result);
        model.addAttribute("envid", envid);
        return "report";
    }

Configuration Details:

public UrlBasedCorsConfigurationSource corsConfigurationSource() {
                CorsConfiguration configuration = new CorsConfiguration();
                configuration.setAllowedOrigins(Arrays.asList("http://123.123.151.123:4201")); // Allow all origins or specify your front-end URL
                configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
                configuration.setAllowedHeaders(Arrays.asList("*"));
                configuration.setAllowCredentials(false); // set true if using cookies/auth
                configuration.setMaxAge(3600L);

                UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
                source.registerCorsConfiguration("/**", configuration);
                return source;
            }
Improve this question
6
  • 1
    What is your security configuration? Add the security configuration to your question? Commented Aug 8 at 8:46
  • 1
    What is the IP address you are calling from? That clause @CrossOrigin(origins = "http://123.123.151.123:4201") seems to be the most obvious difference between the two methods. Commented Aug 8 at 8:50
  • @seenukarthi Here is the configuration details below. I have tried to call after commenting this configuration as well. public UrlBasedCorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList("123.123.151.123:4201")); configuration.setAllowedMethods(Arrays.asList("GET")); configuration.setAllowedHeaders(Arrays.asList("*")); configuration.setAllowCredentials(false); Commented Aug 8 at 8:54
  • 2nd Part - configuration.setMaxAge(3600L); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } Commented Aug 8 at 8:54
  • @Stewart I have added that to allow cross origin access for that specific API. I don't think that has anything to do in this case. Commented Aug 8 at 8:57

1 Answer 1

Reset to default
0

In your API Gateway or spring security whatever you are using, you need to mark the API unauthenticated which means allow this API to be accessible without credentials o token.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/troubleshootingHitRate").permitAll() // Public access
        .anyRequest().authenticated();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Still facing the same problem.
I have figured out the problem. The solution is similar to your solution. Thanks @Sajjad

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.