I am confused of behaviour of Spring Boot 3.3 with spring security for CORS requests. When I pass matching Origin, HTTP response has a status 200. But when Origin does not match the configuration, it returns status 403 Forbidden. I spent two hours tying to figure out, why it requires the authentication, but the problem was I sent a random URL in the Origin header.
So my question is whether this is intentional. I cannot find any reference of this change.
SecurityFilterChain configure(final HttpSecurity http, BAMTokenFilter bamRequestFilter) throws Exception {
return http
.cors(withDefaults())
// ..
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
var configuration = new CorsConfiguration();
configuration.setAllowedOrigins(corsAllowedOrigins);
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE"));
configuration.setAllowedHeaders(Arrays.asList("authorization", "content-type", "x-auth-token"));
configuration.setExposedHeaders(List.of("x-auth-token"));
var source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
Start up logs:
o.s.c.e.PropertySourcesPropertyResolver: Found key 'cors.allowed.origins' in PropertySource 'environmentProperties' with value of type String
o.s.b.f.s.DefaultListableBeanFactory: Creating shared instance of singleton bean 'corsConfigurationSource'
o.s.s.w.DefaultSecurityFilterChain: Will secure any request with filters: DisableEncodeUrlFilter, WebAsyncManagerIntegrationFilter, SecurityContextHolderFilter, HeaderWriterFilter, CorsFilter, LogoutFilter, BAMTokenFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, AuthorizationFilter
Incorrect Origin, status 403:
o.s.s.w.FilterChainProxy: Securing OPTIONS /feed
o.s.w.c.DefaultCorsProcessor: Reject: '' origin is not allowed
Correct Origin, status 200:
2025-03-07 10:24:30.156 [DEBUG][http-nio-8080-exec-3]{} o.s.s.w.FilterChainProxy: Securing OPTIONS /feed
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744938050a4602146.html
评论列表(0条)