Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access-Control-Allow-Origin header returns wrong value using SockJS [SPR-16304] #20851

spring-projects-issues opened this issue Dec 15, 2017 · 0 comments
in: web status: backported type: bug


Copy link

spring-projects-issues commented Dec 15, 2017

Richard Janík opened SPR-16304 and commented

Example of websocket configuration using SockJS

public class WebSocketAppConfig extends AbstractWebSocketMessageBrokerConfigurer {
	public void registerStompEndpoints(StompEndpointRegistry registry) {

	public void configureMessageBroker(MessageBrokerRegistry config) {
		config.enableSimpleBroker("/topic").setHeartbeatValue(new long[] {10000,10000}).setTaskScheduler(new DefaultManagedTaskScheduler());

When we set allowed origin to and we make call to server let's say /ws/info/ with header (I will exclude others just to show example)


the server returns correctly Http status response 403 - forbidden.
But it returns also

access-control-allow-credentials: true

The issue is that incorrect origin was sent and it returns as allowed.

I've found that


returns wildcard every time.
The check is done in but the headers are created in - at line 121 -

String allowOrigin = checkOrigin(config, requestOrigin);
  • which accepts configuration from AbstractSockJsService.getCorsConfiguration.

(I assume this is occurring also on newer versions because I didn't find any problems regarding this topic)

Affects: 4.3.9

Backported to: 4.3.14

@spring-projects-issues spring-projects-issues added type: bug status: backported in: web labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 5.0.3 milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
in: web status: backported type: bug
None yet

No branches or pull requests

2 participants