Next.js with Spring Boot OAUTH2 JWT: calls API from localhost:3000 with OPTIONS with no Bearer causing 401

We have implemented the next.js Auth0 quickstart and modified to call our AWS EBS hosted RESTAPI . Nexts.js is issuing an OPTIONS call before the GET without a Bearer token. Spring Boot is authenticating with .oauth2ResourceServer but the BearerTokenAuthenticationFilter is rejecting the OPTIONS before the cors filter can allow it.


  • Do I need to write a Filter to go before the BearerTokenAuthenticationFilter and what would I do in it ?
    Is there a way to have OPTIONS NOT go through regular JWT authentication before the CORS filter is applied ?

My Security.Config:

 * Configures our application with Spring Security to restrict access to our API endpoints.

public class SecurityConfig {
    static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        This is where we configure the security required for our endpoints and setup our app to serve as
        an OAuth2 Resource Server, using JWT validation.
        String username = "";
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

        if (principal instanceof UserDetails) {
            username = ((UserDetails)principal).getUsername();
        } else {
            username = principal.toString();
        }"\n\nUser Name: {}\n\n", username);
        return http
                .authorizeRequests((authorize) -> authorize
                .cors(cors -> cors.configurationSource(request -> {
                    CorsConfiguration configuration = new CorsConfiguration();
                    configuration.setAllowedMethods(Arrays.asList("GET, POST, OPTIONS"));
                    return configuration;
                .oauth2ResourceServer(oauth2 -> oauth2

The log output for the DefaultSecurtyFilterChain is:

2024-04-16T20:34:04.327-04:00  INFO 23388 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [,,,,,,,,,,,]