Spring 启动 2.2.4.RELEASE 在 Origin 被定义为 webapp 自己的主机名以外的任何内容时返回 403 获取请求

Question

Good morning everyone, When enabling CORS on a subset of endpoints in my Spring Boot application (which we deploy as an war), the preflight works perfectly, however when the actual GET request is made, the webapp returns a 403 with no logging indicating why it was forbidden (even with trace logging enabled in logback.xml) with the following being the last set of logs for a given request.

[https-jsse-nio-9643-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorization successful
[https-jsse-nio-9643-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : RunAsManager did not change Authentication object
[https-jsse-nio-9643-exec-3] o.s.security.web.FilterChainProxy        : /path/myendpoint reached end of additional filter chain; proceeding with original chain
[https-jsse-nio-9643-exec-3] o.s.w.f.CommonsRequestLoggingFilter      : Before request [GET /path/myendpoint]
[https-jsse-nio-9643-exec-3] o.s.w.f.CommonsRequestLoggingFilter      : After request [GET /path/myendpoint]
[https-jsse-nio-9643-exec-3] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
[https-jsse-nio-9643-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
[https-jsse-nio-9643-exec-3] o.s.b.w.s.f.OrderedRequestContextFilter  : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@1b766a09

The only exception is when I omit the Origin Header from the request or set it to the exact same value as the Spring boot host, in which case the request successfully completes.

Here is my WebSecurityConfigurerAdapter configuration

---

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Collections.singletonList("*"));
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
    configuration.setAllowedHeaders(Arrays.asList("X-Requested-With", "Origin", "Content-Type", "Accept", "Authorization"));
    configuration.setAllowCredentials(true);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/path/**", configuration);
    return source;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors(withDefaults())
    .authorizeRequests()
            .mvcMatchers("/**").authenticated()
            .and()
            .exceptionHandling().accessDeniedHandler(datamartSecurityErrorHandler)
            .and()
            .oauth2ResourceServer().jwt().and().authenticationEntryPoint(datamartSecurityErrorHandler)
    .and().csrf(AbstractHttpConfigurer::disable);
}

@Bean
JwtDecoder jwtDecoder() {
    NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) JwtDecoders.fromOidcIssuerLocation(issuer);

    OAuth2TokenValidator<Jwt> audienceValidator = new DatamartAudienceValidator(audience);
    OAuth2TokenValidator<Jwt> issuerValidator = JwtValidators.createDefaultWithIssuer(issuer);
    OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(issuerValidator, audienceValidator);

    jwtDecoder.setJwtValidator(validator);

    return jwtDecoder;
}

---

Any requests made to endpoints outside of the /path/** pattern still work fine (without CORS headers).

Has anyone else ran into this or have any suggestions on how to troubleshoot further. Thanks and let me know if I can provide anything else to help answer.

Answer 1

It turns out that there was a CORS filter defined in a web.xml file hiding in our tomcat server's conf folder. Removing the filter and letting Spring handle cors inside the application solved the problem.