Description
Jean-Charles Eloi opened SPR-14406 and commented
Hello,
My application is a spring boot 1.4.0.M3 application exposing spring MVC rest services.
Since the update to 1.4.0.M3, I experience problems with the CORS behaviour, which was until then totally managed by a custom filter.
Spring boot 1.4.0.M3's web starter pulls spring-web 4.3.0.RC2.
The problem is that along with my Access-Control-Allow-Origin: * response header was also being returned an Access-Control-Allow-Origin: [content of the Origin: header in the request]. The duplicate header was not really appreciated by the browser.
I traced the problem to the DefaultCorsProcessor and found that :
- Given a HttpServletResponse already containing CORS headers, the processor should do nothing, as per this section :
if (responseHasCors(serverResponse)) {
logger.debug("Skip CORS processing: response already contains \"Access-Control-Allow-Origin\" header");
return true;
}
The problem is that just above that,
ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);does not preserve the initial response's headers, cf the constructor :
in org.springframework.http.server.ServletServerHttpResponse
public ServletServerHttpResponse(HttpServletResponse servletResponse) {
Assert.notNull(servletResponse, "HttpServletResponse must not be null");
this.servletResponse = servletResponse;
this.headers = (servlet3Present ? new ServletResponseHttpHeaders() : new HttpHeaders());
}The headers returned by this constructor are always empty, resulting in responseHasCors(serverResponse) always returning false, and eventually this leads to the CORS header duplication.
Am I missing something, because as is, this really seems broken ?
Best regards
Affects: 4.3 GA
Issue Links:
- Consistent handling of multi-valued headers in HttpHeaders [SPR-14223] #18797 Consistent handling of multi-valued headers in HttpHeaders
Referenced from: commits 15c96b8