Skip to content

Avoid 401 for preflight OPTIONS requests by default #4448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
deki opened this issue Jul 11, 2017 · 7 comments
Closed

Avoid 401 for preflight OPTIONS requests by default #4448

deki opened this issue Jul 11, 2017 · 7 comments
Assignees
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue

Comments

@deki
Copy link
Contributor

deki commented Jul 11, 2017

Summary

Follow up to the discussion with @rwinch from spring-projects/spring-boot#9711 in Spring Boot.

If security is enabled, preflight requests are currently answered with 401. This is a problem e.g. for Angular users and you need to fix it with a custom security config. See reports on Stack Overflow https://stackoverflow.com/q/34154711/3156607, https://stackoverflow.com/q/21696592/3156607, https://stackoverflow.com/q/28010307/3156607, https://stackoverflow.com/q/27501045/3156607

There is an open issue #3236 related to it.

Actual Behavior

Without explicit configuration preflight requests fail (doesn't matter if @CrossOrigin is present or not). It is possible to activate CorsFilter (see #2486) but this is not enabled by default.

Expected Behavior

The root cause is a spec issue, see discussion on the W3 list: http://lists.w3.org/Archives/Public/public-webapps/2012JulSep/0252.html

Preflight OPTIONS requests should not require authentication: https://stackoverflow.com/a/15734032/3156607

Configuration

Plain Spring Boot with security (basic auth) enabled.

It should also work for non Spring MVC cases, e.g. using CXF JAXRS Spring Boot starter.

Version

4.2.3.RELEASE

Sample

https://github.com/deki/spring-security-sample/tree/boot-cors
mvn spring-boot:run
curl -v -H 'Access-Control-Request-Method: GET' -H 'Origin:localhost' -X OPTIONS http://localhost:8080/
will fail with 401

@giordy
Copy link

giordy commented Apr 27, 2018

Please mention this behavior in the documentation and the sample code.

@rwinch
Copy link
Member

rwinch commented Apr 27, 2018

@giordy Thanks for the reply. Did you see the CORS section of the documentation? Does that have what you need in it or are you looking for something more? If you are looking for something more, can you be explicit on what is missing?

@giordy
Copy link

giordy commented Apr 27, 2018

@rwinch I created a new Spring Boot 2 project and had the following components in my build.gradle

compile('org.springframework.boot:spring-boot-starter-data-jpa')
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.boot:spring-boot-starter-webflux')
compile('com.fasterxml.jackson.module:jackson-module-kotlin')
compile("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
compile("org.jetbrains.kotlin:kotlin-reflect")

With the help of StackOverflow I found the APIs to setup CORS on webflux (I couldn't find official docs, I was relying on this tutorial at first).

But my CORS configuration was not working so after searching the docs and StackOverflow I was evaluating the following hypotheses, in the order

  1. "I don't know webflux that well, probably something about my CORS conf is broken". But nothing looked wrong, I tried 4-5 different solutions and none worked at all. DEBUG logs didn't tell me much either.
  2. "Angular is not sending some needed header that I'm overlooking". Again no luck.
  3. "That 401 looks suspicious. I have not configured Spring Security or enabled it with @EnableWebSecurity, yet 401 seems somehow related to it. Let's search the issues on GitHub". Bam! Found this issue and found out that Spring Security is indeed doing something. I tried to comment the dependency and everything worked on the spot.

The bottom line for me is: it would be nice to see mentioned in the docs this policy of rejecting preflight calls with 401 by default, because debugging this issue burned me quite some time and all the time I was assuming that Spring Security was disabled and not involved at all... I thought it was just CORS not being properly configured to cause that.

@rwinch
Copy link
Member

rwinch commented Apr 27, 2018

@giordy Thanks for the clarification. Please follow #4832 to track better support for CORS in WebFlux

@hartmut-co-uk
Copy link

Hi @giordy / @rwinch, in addition to the general CORS config by overriding org.springframework.web.reactive.config.WebFluxConfigurer#addCorsMappings

I found following webflux filter (in Kotlin) works for the OPTIONS preflight for browser js clients:
https://gist.github.com/christoph-daehne/1c2d4342a377b8a21b6a3caedb500e23#file-corsfilter-kt
https://sandstorm.de/de/blog/post/cors-headers-for-spring-boot-kotlin-webflux-reactor-project.html

Credits go to @christoph-daehne!

Would be nice to get something similar and configurable integrated.

@rwinch
Copy link
Member

rwinch commented Jul 31, 2018

Closing this since #4832 resolves this issue

@rwinch rwinch closed this as completed Jul 31, 2018
@rwinch rwinch self-assigned this Jul 31, 2018
@rwinch rwinch added status: duplicate A duplicate of another issue Reactive in: web An issue in web modules (web, webmvc) labels Jul 31, 2018
@hartmut-co-uk
Copy link

👍 had a closer look at the source code, looks good to me, I'll switch over with the spring boot 2.1.0.M1 but looks good to me! 🙇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue
Projects
None yet
Development

No branches or pull requests

4 participants