CorsConfigurationSource DispatcherServlet returns 403 for request when Access-Control-Request-Method header is included [SPR-17634]

[spring-issuemaster]

mike baranski opened SPR-17634 and commented

See Reference URL.  I have this configuration:

 

@Bean
CorsConfigurationSource corsConfigurationSource() {
 LOGGER.info("Configuring CORS");
 CorsConfiguration configuration = new CorsConfiguration();
 configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000", "https://localhost:3000", "http://localhost:2199", "https://localhost:2199"));
 configuration.setAllowCredentials(true);
 configuration.setAllowedHeaders(
 Arrays.asList("Access-Control-Allow-Headers",
 "Access-Control-Allow-Origin", "Access-Control-Request-Method",
 "Access-Control-Request-Headers", "Origin", "Cache-Control",
 "Content-Type", "Authorization", "Accept"));
 configuration.setAllowedMethods(
 Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT"));
 UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 source.registerCorsConfiguration("/**", configuration);
 return source;
}

 @Override
  protected void configure(HttpSecurity http) throws Exception {
    LOGGER.info("Starting security configuration");
    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http
        .cors().and()
        .csrf().ignoringAntMatchers("/**").and()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "/auth/**").permitAll()
        .antMatchers(HttpMethod.POST, "/auth/**").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/auth/**").permitAll()
        .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
        .antMatchers("/**").hasRole("USER");

If I make a CURL request like this I get 403 from the Dispatcher servlet -

curl -v -XOPTIONS -H 'Access-Control-Request-Headers: content-type' -H 'Origin: http://localhost:3001' http://localhost:8080/auth/create-account  -H 'Access-Control-Request-Method: POST'

If I make a CURL request without the Access-Control-Request-Method header it works. Clearly I have allowed that header and the POST is a valid endpoint in my app:

@RestController
@RequestMapping("/auth")
public class AuthEndpoint {
  private static final Logger LOGGER = LoggerFactory.getLogger(
      AuthEndpoint.class);
@PostMapping("/create-account")
  public ResponseEntity<Object> createAccount(
      @RequestBody @Valid NewAccountDTO newAccountDTO) {
    LOGGER.debug("Creating account {}", newAccountDTO);
    ...
}
}

If I add this to the AuthEndpoint class it works with both CURL requests:

@CrossOrigin(origins = "http://localhost:3000")

---

Affects: 5.1.3

Reference URL: https://stackoverflow.com/questions/54000519/spring-boot-cors-configuration-issue-access-control-request-method-post/54002148#54002148

[spring-issuemaster]

Sébastien Deleuze commented

I made a sample application similar to yours with Boot, Spring Security and get it working correctly if I use an origin with one of the authorized origin, which is not the case of your example since you authorize origins with port 2199 and 3000, but your Origin header is using 3001. With an Origin header with port 3000 it returns 200.

Also Spring Security will understand automatically the CORS configuration from CorsConfigurationSource so you probably can simplify the Spring Security configuration.