Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access-Control-Allow-Origin header returns wrong value using SockJS [SPR-16304] #20851

Closed
spring-issuemaster opened this issue Dec 15, 2017 · 0 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Dec 15, 2017

Richard Janík opened SPR-16304 and commented

Example of websocket configuration using SockJS

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketAppConfig extends AbstractWebSocketMessageBrokerConfigurer {
	
	
	@Override
	public void registerStompEndpoints(StompEndpointRegistry registry) {
		registry.addEndpoint("/ws").setAllowedOrigins("https://example.com").withSockJS();
	}

	@Override
	public void configureMessageBroker(MessageBrokerRegistry config) {
		config.enableSimpleBroker("/topic").setHeartbeatValue(new long[] {10000,10000}).setTaskScheduler(new DefaultManagedTaskScheduler());
		config.setApplicationDestinationPrefixes("/app");
	}
	
}

When we set allowed origin to https://example.com and we make call to server let's say /ws/info/ with header (I will exclude others just to show example)

Origin: https://another.example.com

the server returns correctly Http status response 403 - forbidden.
But it returns also

Access-Control-Allow-Origin: https://another.example.com
access-control-allow-credentials: true

The issue is that incorrect origin was sent and it returns as allowed.

I've found that

AbstractSockJsService.getCorsConfiguration

returns wildcard every time.
The check is done in OriginHandshakeInterceptor.java but the headers are created in
DefaultCorsProcessor.java - at line 121 -

String allowOrigin = checkOrigin(config, requestOrigin);
  • which accepts configuration from AbstractSockJsService.getCorsConfiguration.

(I assume this is occurring also on newer versions because I didn't find any problems regarding this topic)


Affects: 4.3.9

Backported to: 4.3.14

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.