Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS request fails in case of allowedOrigins set to all #145

Closed
gorbunkov opened this issue Nov 30, 2022 · 0 comments
Closed

CORS request fails in case of allowedOrigins set to all #145

gorbunkov opened this issue Nov 30, 2022 · 0 comments
Assignees
@gorbunkov
Labels
type: regression Issue was found during regression ver: 7.2.5
Milestone
Release 7.2

Comments

@gorbunkov
Copy link
Contributor

Environment

  • Platform version: 7.2.20
  • Addon version: 7.2.4

Description of the bug or enhancement

Try to get access token with passing the Origin header in the request, e.g.:

curl -X POST http://localhost:8080/app/rest/v2/oauth/token \
   --basic --user client:secret \
   -H "Origin: http://example.com" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=password&username=admin&password=admin"

AR: the error:

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> When allowCredentials is true, allowedOrigins cannot contain the special value &quot;*&quot; since that cannot be set on the &quot;Access-Control-Allow-Origin&quot; response header. To allow credentials to a set of origins, list them explicitly or consider using &quot;allowedOriginPatterns&quot; instead.</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value &quot;*&quot; since that cannot be set on the &quot;Access-Control-Allow-Origin&quot; response header. To allow credentials to a set of origins, list them explicitly or consider using &quot;allowedOriginPatterns&quot; instead.

org.springframework.web.cors.CorsConfiguration.validateAllowCredentials(CorsConfiguration.java:473)
	org.springframework.web.cors.CorsConfiguration.checkOrigin(CorsConfiguration.java:577)
	org.springframework.web.cors.DefaultCorsProcessor.checkOrigin(DefaultCorsProcessor.java:174)
	org.springframework.web.cors.DefaultCorsProcessor.handleInternal(DefaultCorsProcessor.java:116)
	org.springframework.web.cors.DefaultCorsProcessor.processRequest(DefaultCorsProcessor.java:95)
	org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:87)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
	org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
	org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
	com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:93)

The cause is that starting with Spring Security 5.3 the combination of allowedOrigins="*" and allowCredentials=true in CORS configuration is no longer allowed.

See forum topic
@gorbunkov gorbunkov added the type: regression Issue was found during regression label Nov 30, 2022
@gorbunkov gorbunkov added this to the Release 7.2 milestone Nov 30, 2022
@gorbunkov gorbunkov self-assigned this Nov 30, 2022
@gorbunkov gorbunkov changed the title CORS request fails in case of allowedOrigins set to * CORS request fails in case of allowedOrigins set to all Nov 30, 2022
gorbunkov added a commit that referenced this issue Nov 30, 2022
@gorbunkov
CORS request fails in case of allowedOrigins set to all #145
04005d2
gorbunkov added a commit that referenced this issue Nov 30, 2022
@gorbunkov
CORS request fails in case of allowedOrigins set to all #145
f2ee0e4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gorbunkov gorbunkov

Labels
type: regression Issue was found during regression ver: 7.2.5
Projects
None yet
Milestone
Release 7.2
Development

No branches or pull requests
1 participant
@gorbunkov