Spring-security: Avoid 401 for preflight OPTIONS requests by default
Summary
Follow up to the discussion with @rwinch from https://github.com/spring-projects/spring-boot/pull/9711 in Spring Boot.
If security is enabled, preflight requests are currently answered with 401. This is a problem e.g. for Angular users and you need to fix it with a custom security config. See reports on Stack Overflow https://stackoverflow.com/q/34154711/3156607, https://stackoverflow.com/q/21696592/3156607, https://stackoverflow.com/q/28010307/3156607, https://stackoverflow.com/q/27501045/3156607
There is an open issue #3236 related to it.
Actual Behavior
Without explicit configuration preflight requests fail (doesn't matter if @CrossOrigin is present or not). It is possible to activate CorsFilter (see #2486) but this is not enabled by default.
Expected Behavior
The root cause is a spec issue, see discussion on the W3 list: http://lists.w3.org/Archives/Public/public-webapps/2012JulSep/0252.html
Preflight OPTIONS requests should not require authentication: https://stackoverflow.com/a/15734032/3156607
Configuration
Plain Spring Boot with security (basic auth) enabled.
It should also work for non Spring MVC cases, e.g. using CXF JAXRS Spring Boot starter.
Version
4.2.3.RELEASE
Sample
https://github.com/deki/spring-security-sample/tree/boot-cors
mvn spring-boot:run
curl -v -H 'Access-Control-Request-Method: GET' -H 'Origin:localhost' -X OPTIONS http://localhost:8080/
will fail with 401
deki
All 7 comments
Please mention this behavior in the documentation and the sample code.
giordy
on 27 Apr 2018
@giordy Thanks for the reply. Did you see the CORS section of the documentation? Does that have what you need in it or are you looking for something more? If you are looking for something more, can you be explicit on what is missing?
rwinch
on 27 Apr 2018
@rwinch I created a new Spring Boot 2 project and had the following components in my build.gradle
compile('org.springframework.boot:spring-boot-starter-data-jpa')
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.boot:spring-boot-starter-webflux')
compile('com.fasterxml.jackson.module:jackson-module-kotlin')
compile("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
compile("org.jetbrains.kotlin:kotlin-reflect")
With the help of StackOverflow I found the APIs to setup CORS on webflux (I couldn't find official docs, I was relying on this tutorial at first).
But my CORS configuration was not working so after searching the docs and StackOverflow I was evaluating the following hypotheses, in the order
- "I don't know webflux that well, probably something about my CORS conf is broken". But nothing looked wrong, I tried 4-5 different solutions and none worked at all. DEBUG logs didn't tell me much either.
- "Angular is not sending some needed header that I'm overlooking". Again no luck.
- "That 401 looks suspicious. I have not configured Spring Security or enabled it with @EnableWebSecurity, yet 401 seems somehow related to it. Let's search the issues on GitHub". Bam! Found this issue and found out that Spring Security is indeed doing something. I tried to comment the dependency and everything worked on the spot.
The bottom line for me is: it would be nice to see mentioned in the docs this policy of rejecting preflight calls with 401 by default, because debugging this issue burned me quite some time and all the time I was assuming that Spring Security was disabled and not involved at all... I thought it was just CORS not being properly configured to cause that.
giordy
on 27 Apr 2018
@giordy Thanks for the clarification. Please follow #4832 to track better support for CORS in WebFlux
rwinch
on 27 Apr 2018
Hi @giordy / @rwinch, in addition to the general CORS config by overriding org.springframework.web.reactive.config.WebFluxConfigurer#addCorsMappings
I found following _webflux_ filter (in _Kotlin_) works for the OPTIONS preflight for browser js clients:
https://gist.github.com/christoph-daehne/1c2d4342a377b8a21b6a3caedb500e23#file-corsfilter-kt
https://sandstorm.de/de/blog/post/cors-headers-for-spring-boot-kotlin-webflux-reactor-project.html
Credits go to @christoph-daehne!
Would be nice to get something similar and configurable integrated.
hartmut-co-uk
on 31 Jul 2018
Closing this since #4832 resolves this issue
rwinch
on 1 Aug 2018
馃憤 had a closer look at the source code, looks good to me, I'll switch over with the spring boot 2.1.0.M1 but looks good to me! 馃檱
hartmut-co-uk
on 1 Aug 2018
Related issues
heruan
路
3Comments
adolfoweloy
路
3Comments
qq494679975
路
3Comments
silentsnooc
路
3Comments
lexburner
路
3Comments
Most helpful comment
@rwinch I created a new Spring Boot 2 project and had the following components in my build.gradle
With the help of StackOverflow I found the APIs to setup CORS on webflux (I couldn't find official docs, I was relying on this tutorial at first).
But my CORS configuration was not working so after searching the docs and StackOverflow I was evaluating the following hypotheses, in the order
The bottom line for me is: it would be nice to see mentioned in the docs this policy of rejecting preflight calls with 401 by default, because debugging this issue burned me quite some time and all the time I was assuming that Spring Security was disabled and not involved at all... I thought it was just CORS not being properly configured to cause that.