-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Avoid 401 for preflight OPTIONS requests by default #4448
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Please mention this behavior in the documentation and the sample code. |
@rwinch I created a new Spring Boot 2 project and had the following components in my build.gradle
With the help of StackOverflow I found the APIs to setup CORS on webflux (I couldn't find official docs, I was relying on this tutorial at first). But my CORS configuration was not working so after searching the docs and StackOverflow I was evaluating the following hypotheses, in the order
The bottom line for me is: it would be nice to see mentioned in the docs this policy of rejecting preflight calls with 401 by default, because debugging this issue burned me quite some time and all the time I was assuming that Spring Security was disabled and not involved at all... I thought it was just CORS not being properly configured to cause that. |
Hi @giordy / @rwinch, in addition to the general CORS config by overriding I found following webflux filter (in Kotlin) works for the Credits go to @christoph-daehne! Would be nice to get something similar and configurable integrated. |
Closing this since #4832 resolves this issue |
👍 had a closer look at the source code, looks good to me, I'll switch over with the spring boot |
Summary
Follow up to the discussion with @rwinch from spring-projects/spring-boot#9711 in Spring Boot.
If security is enabled, preflight requests are currently answered with 401. This is a problem e.g. for Angular users and you need to fix it with a custom security config. See reports on Stack Overflow https://stackoverflow.com/q/34154711/3156607, https://stackoverflow.com/q/21696592/3156607, https://stackoverflow.com/q/28010307/3156607, https://stackoverflow.com/q/27501045/3156607
There is an open issue #3236 related to it.
Actual Behavior
Without explicit configuration preflight requests fail (doesn't matter if
@CrossOrigin
is present or not). It is possible to activateCorsFilter
(see #2486) but this is not enabled by default.Expected Behavior
The root cause is a spec issue, see discussion on the W3 list: http://lists.w3.org/Archives/Public/public-webapps/2012JulSep/0252.html
Preflight OPTIONS requests should not require authentication: https://stackoverflow.com/a/15734032/3156607
Configuration
Plain Spring Boot with security (basic auth) enabled.
It should also work for non Spring MVC cases, e.g. using CXF JAXRS Spring Boot starter.
Version
4.2.3.RELEASE
Sample
https://github.com/deki/spring-security-sample/tree/boot-cors
mvn spring-boot:run
curl -v -H 'Access-Control-Request-Method: GET' -H 'Origin:localhost' -X OPTIONS http://localhost:8080/
will fail with 401
The text was updated successfully, but these errors were encountered: