So im currently self learning and building a fullstack project. I built my Backend with Springboot and I am using Session based auth. The cors config already got all of the possible accepted origins I tried but I have one problem:
The backend runs on my raspberry pi as an Docker image on IP 192.168.x.x:8081 which works fine for testing with postman for example.
And when using live server or live preview in VS-Code my login/register works fine, and after successfull login im redirecting to my dashboard, where a GET-Request should be performed but everytime I get a 401 code.
When looking in DevTools behind my SessionID is a "!" with a long description, that the cookie is cross site origin and wont be accepted.
My question is:
Any chance I can get this working?
Because I was thinking, that I may run everything on my Laptop aswell in Docker, but docker still has a different "network" so it still has the cross site problem.
I hope I wrote everything as understandable as possible, because im just confused xD
If it helps here is my Security config:
package de.ExpenseTracker.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.cors(Customizer.withDefaults())
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(auth -> auth
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.requestMatchers("/users/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginProcessingUrl("/users/login")
.successHandler((req, res, auth) -> res.setStatus(200))
.failureHandler((req, res, ex) -> res.sendError(401))
)
.exceptionHandling(e -> e
.authenticationEntryPoint((req, res, ex) -> res.sendError(401))
)
.logout(LogoutConfigurer::permitAll);
return http.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
and cors config:
package de.ExpenseTracker.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.List;
@Configuration
public class CorsConfig {
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOrigins(List.of(
"http://127.0.0.1:3000",
"http://localhost:3000",
"http://192.168.178.44:3000",
"http://127.0.0.1:5500",
"http://192.168.178.31:5500"
));
config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
config.setAllowedHeaders(List.of("*"));
config.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return source;
}
}
aswell as my dev.properties file:
spring.datasource.url=jdbc:postgresql://192.168.x.x:5432/expensetracker_test
spring.datasource.username=e
spring.datasource.password=@
spring.jpa.hibernate.ddl-auto=update
server.servlet.session.cookie.same-site=Lax