4.x CORS SE example does not reply with correct CORS results

[tjquinno]

Environment Details

• Helidon Version: 4.0.0
• Helidon SE or Helidon MP SE
• JDK version:
• OS:
• Docker version (if applicable):

---

Problem Description

The SE CORS example app does not respond properly when an unapproved origin is passed. This might be a symptom of general CORS issues rather than specifically with the example. Or maybe it's the example.

Sending a CORS preflight request with an unapproved origin should return a 403 - Forbidden. Instead the request is accepted and processed.

Steps to reproduce

1. Build and start the 4.0 SE CORS example. The application.yaml includes these settings:

   restrictive-cors:
     allow-origins: ["http://foo.com", "http://there.com"]
     allow-methods: ["PUT", "DELETE"]
   

2. In another window run the following command:

   curl -i -X OPTIONS \
    -H "Access-Control-Request-Method: PUT" \
    -H "Origin: http://bad.com" \
    -H "Host: here.com" \
    http://localhost:8080/greet/greeting
   

3. The response is:

   HTTP/1.1 200 OK
   Date: Fri, 17 Nov 2023 10:19:58 -0600
   Access-Control-Allow-Methods: PUT
   Access-Control-Allow-Origin: http://bad.com
   Access-Control-Max-Age: 3600
   Connection: keep-alive
   Content-Length: 0
   

   which indicates that CORS has accepted the origin http://bad.com but it should be rejected because the configuration should allow only origins http://foo.com and http://there.com.

Do the same sequence but with the 3.x SE CORS example and the response is this:

HTTP/1.1 403 CORS origin is not in allowed list
Date: Fri, 17 Nov 2023 10:12:24 -0600
connection: keep-alive
content-length: 0