Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CorsConfigurationSource DispatcherServlet returns 403 for request when Access-Control-Request-Method header is included [SPR-17634] #22165

spring-projects-issues opened this issue Jan 2, 2019 · 1 comment
in: web status: invalid


Copy link

@spring-projects-issues spring-projects-issues commented Jan 2, 2019

mike baranski opened SPR-17634 and commented

See Reference URL.  I have this configuration:


CorsConfigurationSource corsConfigurationSource() {"Configuring CORS");
 CorsConfiguration configuration = new CorsConfiguration();
 configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000", "https://localhost:3000", "http://localhost:2199", "https://localhost:2199"));
 "Access-Control-Allow-Origin", "Access-Control-Request-Method",
 "Access-Control-Request-Headers", "Origin", "Cache-Control",
 "Content-Type", "Authorization", "Accept"));
 Arrays.asList("DELETE", "GET", "POST", "PATCH", "PUT"));
 UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
 source.registerCorsConfiguration("/**", configuration);
 return source;

  protected void configure(HttpSecurity http) throws Exception {"Starting security configuration");
        .antMatchers(HttpMethod.GET, "/auth/**").permitAll()
        .antMatchers(HttpMethod.POST, "/auth/**").permitAll()
        .antMatchers(HttpMethod.OPTIONS, "/auth/**").permitAll()

If I make a CURL request like this I get 403 from the Dispatcher servlet -

curl -v -XOPTIONS -H 'Access-Control-Request-Headers: content-type' -H 'Origin: http://localhost:3001' http://localhost:8080/auth/create-account  -H 'Access-Control-Request-Method: POST'

If I make a CURL request without the Access-Control-Request-Method header it works. Clearly I have allowed that header and the POST is a valid endpoint in my app:

public class AuthEndpoint {
  private static final Logger LOGGER = LoggerFactory.getLogger(
  public ResponseEntity<Object> createAccount(
      @RequestBody @Valid NewAccountDTO newAccountDTO) {
    LOGGER.debug("Creating account {}", newAccountDTO);

If I add this to the AuthEndpoint class it works with both CURL requests:

@CrossOrigin(origins = "http://localhost:3000")

Affects: 5.1.3

Reference URL:

Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 3, 2019

Sébastien Deleuze commented

I made a sample application similar to yours with Boot, Spring Security and get it working correctly if I use an origin with one of the authorized origin, which is not the case of your example since you authorize origins with port 2199 and 3000, but your Origin header is using 3001. With an Origin header with port 3000 it returns 200.

Also Spring Security will understand automatically the CORS configuration from CorsConfigurationSource so you probably can simplify the Spring Security configuration.

@spring-projects-issues spring-projects-issues added type: bug status: invalid in: web labels Jan 11, 2019
@spring-projects-issues spring-projects-issues removed the type: bug label Jan 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
in: web status: invalid
None yet

No branches or pull requests

2 participants