Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SpringBoot 2 Migration Issue with CORS support #12488

Closed
pluttrell opened this issue Mar 15, 2018 · 6 comments
Closed

SpringBoot 2 Migration Issue with CORS support #12488

pluttrell opened this issue Mar 15, 2018 · 6 comments
Labels
for: external-project For an external project and not something we can fix for: stackoverflow A question that's better suited to stackoverflow.com status: invalid An issue that we don't feel is valid

Comments

@pluttrell
Copy link

Using SpringBoot 1.5.9 with this controller and configuration, CORS requests are allowed (work fine):

@CrossOrigin
@RestController
public class SampleController {
  @GetMapping(path = "mypath")
  public String something() {
      return "foobar";
  }
}

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/**").permitAll();
  }
}

However when I migrated to SpringBoot v2.0.0, with the same controller and configration I now get errors in the latest version of Chrome to the same previously working requests:

Failed to load https://gateway.mydomain.com/mypath: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://spa.mydomain.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Per this possibly dated StackOverflow answer, I've tried using this updated configuration, but that still does not work:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .cors()
        .and()
        .csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
        .authorizeRequests()
        .antMatchers("/**").permitAll();
  }

  @Bean
  CorsConfigurationSource corsConfigurationSource() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
    return source;
  }

}

How do we get the same CORS functionality possible out of the box with SpringBoot 1.5.9 in SpringBoot 2?

Is there a better way to resolve this without specifying the origin domain?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 15, 2018
@wilkinsona
Copy link
Member

This is due to the change made in Spring Framework for SPR-16130. allowCredentials now defaults to false which affects this logic in CorsConfiguration:

		if (this.allowedOrigins.contains(ALL)) {
			if (this.allowCredentials != Boolean.TRUE) {
				return ALL;
			}
			else {
				return requestOrigin;
			}
		}

You can restore the behaviour of Spring Framework 4.3 and Spring Boot 1.5 by changing your @CrossOrigin annotation:

@CrossOrigin(allowCredentials="true")

/cc @sdeleuze

@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: stackoverflow A question that's better suited to stackoverflow.com for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 15, 2018
@pluttrell
Copy link
Author

@wilkinsona Many thanks for the insight. Since it’s a change to the default, it might be a good addition to the migration guide.

@wilkinsona
Copy link
Member

Thanks for the suggestion. If it's mentioned anywhere, I think it should probably go in Spring Framework's upgrade documentation. What do you think, @sdeleuze?

@sdeleuze
Copy link
Contributor

Good idea, I have added a CORS support section in Spring Framework 5 upgrade documentation.

@wilkinsona
Copy link
Member

Thanks, @sdeleuze. I've also added a link in Boot's migration guide to Framework's upgrade documentation.

@dyunusemre
Copy link

@wilkinsona you saved my day thanks alot

@Cortys Cortys mentioned this issue Nov 2, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project For an external project and not something we can fix for: stackoverflow A question that's better suited to stackoverflow.com status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sdeleuze @wilkinsona @pluttrell @spring-projects-issues @dyunusemre