Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: DefaultCorsProcessor ignores already present Access-Control-Allow-Origin header [SPR-14406] #18977

Closed
spring-projects-issues opened this issue Jun 27, 2016 · 3 comments
Assignees
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Jun 27, 2016

Jean-Charles Eloi opened SPR-14406 and commented

Hello,

My application is a spring boot 1.4.0.M3 application exposing spring MVC rest services.

Since the update to 1.4.0.M3, I experience problems with the CORS behaviour, which was until then totally managed by a custom filter.

Spring boot 1.4.0.M3's web starter pulls spring-web 4.3.0.RC2.

The problem is that along with my Access-Control-Allow-Origin: * response header was also being returned an Access-Control-Allow-Origin: [content of the Origin: header in the request]. The duplicate header was not really appreciated by the browser.

I traced the problem to the DefaultCorsProcessor and found that :

  • Given a HttpServletResponse already containing CORS headers, the processor should do nothing, as per this section :
if (responseHasCors(serverResponse)) {
     logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
     return true;
}
     

The problem is that just above that,

ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);

does not preserve the initial response's headers, cf the constructor :

in org.springframework.http.server.ServletServerHttpResponse

public ServletServerHttpResponse(HttpServletResponse servletResponse) {
     Assert.notNull(servletResponse, "HttpServletResponse must not be null");
     this.servletResponse = servletResponse;
     this.headers = (servlet3Present ? new ServletResponseHttpHeaders() : new HttpHeaders());
}

The headers returned by this constructor are always empty, resulting in responseHasCors(serverResponse) always returning false, and eventually this leads to the CORS header duplication.

Am I missing something, because as is, this really seems broken ?

Best regards


Affects: 4.3 GA

Issue Links:

  • #18797 Consistent handling of multi-valued headers in HttpHeaders

Referenced from: commits 15c96b8

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 27, 2016

Juergen Hoeller commented

This seems to be an issue with inconsistent overriding in ServletResponseHttpHeaders, after a refactoring in HttpHeaders itself (#18797). We'll fix this for 4.3.1.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 27, 2016

Juergen Hoeller commented

This should be fixed now. Please give the upcoming 4.3.1.BUILD-SNAPSHOT a try...

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jun 27, 2016

Jean-Charles Eloi commented

Thanks, I'll try that soon !

Edit : tested just now against 4.3.1.BUILD-SNAPSHOT and it does work as expected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants