Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Actuator doesn't use the CORS Configuration with default security configuration and Spring MVC #11987

Closed
mbhave opened this issue Feb 9, 2018 · 8 comments
Closed

Actuator doesn't use the CORS Configuration with default security configuration and Spring MVC #11987

mbhave opened this issue Feb 9, 2018 · 8 comments
Assignees
@mbhave
Labels
type: bug A general bug
Milestone
2.3.11

Comments

@mbhave
Copy link
Contributor

mbhave commented Feb 9, 2018

If Spring Security can add this as a default, we don't need to do anything. If Spring Security doesn't make this a default, we need to see how this can be done. Adding http.cors() here wouldn't work for Jersey because there is no CorsFilter or CorsConfigurationSource
@mbhave mbhave added the status: waiting-for-triage An issue we've not yet triaged label Feb 9, 2018
@michael-simons
Copy link
Contributor

@wilkinsona pointed me at this ticket. I'm about to write some config for exactly having that feature with Actuator on Jersey.

Regarding Spring Security: Wouldn't that tangle Actuator and Security again?

@mbhave
Copy link
Contributor Author

mbhave commented Feb 14, 2018

If Spring Security added it as a default, Spring Boot wouldn't need to add anything extra and it would just rely on Spring Security's defaults. It wouldn't tangle Actuator and Security because there would be no actuator specific configuration in Spring Boot's security auto-config.

@philwebb philwebb added the status: blocked An issue that's blocked on an external project change label Jun 15, 2018
@mbhave mbhave self-assigned this Nov 16, 2018
@mbhave mbhave added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 14, 2019
@philwebb philwebb added this to the 2.1.x milestone Jun 14, 2019
@philwebb philwebb modified the milestones: 2.1.x, 2.2.x Jun 10, 2020
@mbhave
Copy link
Contributor Author

mbhave commented Nov 13, 2020

See #9548.

@mbhave
Copy link
Contributor Author

mbhave commented Dec 1, 2020

Unblocking this as we have a separate configuration for the management endpoints now in order to expose health and info. So even if Spring Security adds it as a default we would need to call .cors() in the management security auto-configuration.

@mbhave mbhave removed the status: blocked An issue that's blocked on an external project change label Dec 1, 2020
@mbhave mbhave mentioned this issue Dec 2, 2020
Closed
@mbhave mbhave closed this as completed in 7b38b0e Dec 2, 2020
@mbhave
Copy link
Contributor Author

mbhave commented Dec 2, 2020

I tagged the wrong issue.

@mbhave mbhave reopened this Dec 2, 2020
bclozel added a commit to spring-io/concourse-release-scripts that referenced this issue Dec 3, 2020
@bclozel
Add SDKMAN to pipeline
0887737 
See spring-projects/spring-boot#11987
@mbhave mbhave mentioned this issue Dec 10, 2020
Closed
@mbhave
Copy link
Contributor Author

mbhave commented Dec 10, 2020

Blocked on spring-projects/spring-framework#26257

@mbhave mbhave added the status: blocked An issue that's blocked on an external project change label Dec 10, 2020
@philwebb philwebb modified the milestones: 2.2.x, 2.3.x Dec 16, 2020
@mbhave mbhave changed the title Actuator doesn't use the CORS Configuration with default security config Actuator doesn't use the CORS Configuration with default security configuration and Spring MVC Dec 16, 2020
@mbhave mbhave mentioned this issue Dec 16, 2020
Closed
@mbhave
Copy link
Contributor Author

mbhave commented Dec 16, 2020

I've created a separate issue for Webflux.

@mbhave mbhave removed the status: blocked An issue that's blocked on an external project change label Dec 16, 2020
@mbhave mbhave mentioned this issue Dec 16, 2020
Closed
@mbhave mbhave closed this as completed in 09e0742 Dec 16, 2020
@mbhave mbhave modified the milestones: 2.3.x, 2.3.8 Dec 16, 2020
mbhave added a commit that referenced this issue Dec 16, 2020
@mbhave
Fix tests
361198e 
See gh-11987
@mbhave
Copy link
Contributor Author

mbhave commented Jan 4, 2021
edited
Loading

Reopening this issue because adding cors will fail for Jersey. Spring Security throws an exception if .cors() is invoked without a CorsFilter or a CorsConfigurationSource bean.

@mbhave mbhave reopened this Jan 4, 2021
@mbhave mbhave modified the milestones: 2.3.8, 2.3.x Jan 4, 2021
mbhave added a commit that referenced this issue Jan 4, 2021
@mbhave
Revert fix to enable cors for actuator endpoints
9928d74 
The fix causes a Jersey application to fail in the absence
of a `CorsFilter` or `CorsConfigurationSource` bean.

See gh-11987
@mbhave mbhave mentioned this issue May 19, 2021
Closed
@mbhave mbhave closed this as completed in b26e842 May 19, 2021
@mbhave mbhave modified the milestones: 2.3.x, 2.3.11 May 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbhave mbhave

Labels
type: bug A general bug
Projects
None yet
Milestone
2.3.11
Development

No branches or pull requests
3 participants
@philwebb @michael-simons @mbhave