Skip to content

Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource #15444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 29, 2024
Merged

Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource #15444

merged 1 commit into from
Jul 29, 2024

Conversation

baezzys
Copy link
Contributor

@baezzys baezzys commented Jul 21, 2024

Closes gh-15378

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 21, 2024
@jzheaux jzheaux requested a review from marcusdacoregio July 22, 2024 21:49
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 24, 2024
@marcusdacoregio marcusdacoregio added this to the 6.2.6 milestone Jul 24, 2024
@marcusdacoregio
Copy link
Contributor

Hi @baezzys, thanks for the PR. Can you please target the 6.2.x branch in your PR and rebase your branch with it?

marcusdacoregio
marcusdacoregio suggested changes Jul 24, 2024
View reviewed changes
.../springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java Outdated
Map<String, CorsConfigurationSource> corsConfigurationSources = this.context
.getBeansOfType(CorsConfigurationSource.class);

boolean hasUrlBasedCorsConfigurationSource = corsConfigurationSources.values()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you please adopt another strategy instead of using Stream?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have refactored the code to avoid using Streams. PTAL. Thanks.

@baezzys baezzys changed the base branch from main to 6.2.x July 24, 2024 15:20
@baezzys
Copy link
Contributor Author

baezzys commented Jul 24, 2024

Hi @marcusdacoregio, I have completed the rebase and retargeted the PR to the 6.2.x branch.

marcusdacoregio
marcusdacoregio suggested changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@marcusdacoregio marcusdacoregio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @baezzys, I've left some feedback inline.

.../springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java Outdated

for (CorsConfigurationSource source : corsConfigurationSources.values()) {
if (source instanceof UrlBasedCorsConfigurationSource) {
http.cors(withDefaults());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should check if the instance is UrlBasedCorsConfigurationSource and if the bean name is corsConfigurationSource, since this is the bean name used by the CorsConfigurer, to avoid picking up the wrong CorsConfigurationSource.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the code to check if there are any beans of type UrlBasedCorsConfigurationSource using getBeanNamesForType. If such beans exist, CORS configuration is applied.

If this is not what you intended, please feel free to provide further feedback.

...ngframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java

this.mockMvc.perform(formLogin()).andExpect(header().doesNotExist("Access-Control-Allow-Origin"));
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add a test that verifies if the header Vary is not present? In summary, simulate the problem reported in #15378 and assert that it is fixed.

You can add the issue number in the test, like so:

// gh-15378
@Test
void ...() {
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the existing test code to verify if the Vary header is not present. Thank you for your feedback!

@baezzys
fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurati…
62935fb 
…onSource

- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.
@marcusdacoregio marcusdacoregio merged commit 3d4bcf1 into spring-projects:6.2.x Jul 29, 2024
4 checks passed
@marcusdacoregio
Copy link
Contributor

Thanks @baezzys, this is now merged into 6.2.x, 6.3.x and main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@marcusdacoregio marcusdacoregio marcusdacoregio requested changes

Reviewers whose approvals may not affect merge requirements
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
6.2.6
Development

Successfully merging this pull request may close these issues.

Response header Vary since Spring Security 6.2.0
3 participants
@baezzys @marcusdacoregio @spring-projects-issues