Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

improve logging of DefaultCorsProcessor for rejected headers [SPR-15708] #20265

Closed
spring-issuemaster opened this issue Jun 27, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Jun 27, 2017

shorn tolley opened SPR-15708 and commented

The DefaultCorsProcessor rejects quietly when various conditions aren't met. This leads to confusion when trying to set up CORS handling with spring web/security.

In my situation, I didn't have the correct "allowedHeaders" configuration for a pre-flight request.
This lead to me thinking the eventual "403" error had something to do with my authentication and authorization chain.

It would be helpful if this piece of code were refactored slightly to add a debug/trace message to tell the developer the fact that the request is being rejected because of a CORS issue (and why).

This is important because people often do auth + CORS at the same time - especially when implementation a Single-Page-Application. They'll hit CORS issues straight away when they start developing and the CORS config problems tend to get confused with auth config problems.

I'd be happy to submit a pull request if you think this functionality would be good to have.


Affects: 4.3.7, 4.3.8, 4.3.9, 5.0 GA

Reference URL: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java#L130

Referenced from: commits 9901c38

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 27, 2017

Sébastien Deleuze commented

Indeed, debug level logging could really help to debug such use case. Feel free to submit a pull request, if possible for both Spring MVC and Spring WebFlux (very similar classes, you will just have to duplicate the code).

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jun 28, 2017

shorn tolley commented

PR 1466 submitted.
#1466

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.