Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CorsConfigurationSource DispatcherServlet returns 403 for request when Access-Control-Request-Method header is included [SPR-17634] #22165

Closed
spring-issuemaster opened this issue Jan 2, 2019 · 1 comment
Assignees

Comments

@spring-issuemaster
Copy link
Collaborator

@spring-issuemaster spring-issuemaster commented Jan 2, 2019

mike baranski opened SPR-17634 and commented

See Reference URL.  I have this configuration:

 

@Bean
CorsConfigurationSource corsConfigurationSource() {
 LOGGER.info("Configuring CORS");
 CorsConfiguration configuration = new CorsConfiguration();
 configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000", "https://localhost:3000", "http://localhost:2199", "https://localhost:2199"));
 configuration.setAllowCredentials(true);
 configuration.setAllowedHeaders(
 Arrays.asList("Access-Control-Allow-Headers",
 "Access-Control-Allow-Origin", "Access-Control-Request-Method",
 "Access-Control-Request-Headers", "Origin", "Cache-Control",
 "Content-Type", "Authorization", "Accept"));
 configuration.setAllowedMethods(
 Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT"));
 UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 source.registerCorsConfiguration("/**", configuration);
 return source;
}

 @Override
  protected void configure(HttpSecurity http) throws Exception {
    LOGGER.info("Starting security configuration");
    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http
        .cors().and()
        .csrf().ignoringAntMatchers("/**").and()
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, "/auth/**").permitAll()
        .antMatchers(HttpMethod.POST, "/auth/**").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/auth/**").permitAll()
        .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
        .antMatchers("/**").hasRole("USER");

If I make a CURL request like this I get 403 from the Dispatcher servlet -

curl -v -XOPTIONS -H 'Access-Control-Request-Headers: content-type' -H 'Origin: http://localhost:3001' http://localhost:8080/auth/create-account  -H 'Access-Control-Request-Method: POST'

If I make a CURL request without the Access-Control-Request-Method header it works. Clearly I have allowed that header and the POST is a valid endpoint in my app:

@RestController
@RequestMapping("/auth")
public class AuthEndpoint {
  private static final Logger LOGGER = LoggerFactory.getLogger(
      AuthEndpoint.class);
@PostMapping("/create-account")
  public ResponseEntity<Object> createAccount(
      @RequestBody @Valid NewAccountDTO newAccountDTO) {
    LOGGER.debug("Creating account {}", newAccountDTO);
    ...
}
}

If I add this to the AuthEndpoint class it works with both CURL requests:

@CrossOrigin(origins = "http://localhost:3000")


Affects: 5.1.3

Reference URL: https://stackoverflow.com/questions/54000519/spring-boot-cors-configuration-issue-access-control-request-method-post/54002148#54002148

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Jan 3, 2019

Sébastien Deleuze commented

I made a sample application similar to yours with Boot, Spring Security and get it working correctly if I use an origin with one of the authorized origin, which is not the case of your example since you authorize origins with port 2199 and 3000, but your Origin header is using 3001. With an Origin header with port 3000 it returns 200.

Also Spring Security will understand automatically the CORS configuration from CorsConfigurationSource so you probably can simplify the Spring Security configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.