Make Apache Shiro work properly with CORS requests.

Today I bumped into one problem that resources protected by shiro won’t be accessable for CORS requests, even with correct authentication headers.

For CORS requests, the OPTIONS pre-flight request will be regarded as unauthenticated by Apache Shiro since the browser won’t add custom headers to the OPTIONS request. In my case, the OPTIONS request returned 302, attempting to redirect to the login page.

To solve this problem. I overrode the AuthenticatingFilter‘s isAccessAllowed method to make it always return true when the request’s method is OPTIONS.

If you are using shiro’s permission control filter, you need to override PermissionsAuthorizationFilter.

After having these filters overridden. They should be declared to be the running implementation in shiro’s config file.

That is how i get things to work. Hope it help whoever suffering from the same problem.

One thought on “Make Apache Shiro work properly with CORS requests.

  1. thanks
    for sake of completion, shiro.ini:

    perms = com..CORSPermissionAuthorizationFilter

    authc = com..CORSAuthenticationFilter

Leave a Reply