Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide API to Expose the Handling of PreFlight Requests in WebFlux #26257

Closed
rwinch opened this issue Dec 10, 2020 · 3 comments
Closed

Provide API to Expose the Handling of PreFlight Requests in WebFlux #26257

rwinch opened this issue Dec 10, 2020 · 3 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
5.3.4

Comments

@rwinch
Copy link
Member

rwinch commented Dec 10, 2020

Spring MVC provides HandlerMappingIntrospector which exposes the HandlerMappings CORS configuration through the CorsConfigurationSource interface. WebFlux allows users to register a CorsConfigurationSource through AbstractHandlerMapping, but does not provide a way for looking up the CORS configuration. This is important because in order for CORS to work with Spring Security the CorsWebFilter needs to be placed after the headers but before authorization. We want to inject headers, but preflight requests will not contain credentials in them so all authorization will be rejected.

It would be nice if WebFlux allowed for exposing the CORS configuration similar to how MVC does.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Dec 10, 2020
@mbhave
Copy link
Contributor

mbhave commented Dec 10, 2020

This would solve this issue. The bug in Spring Boot causes pre-flight requests to the actuator endpoints to be rejected with the default security configuration. This can be fixed by adding .cors() to the MVC security configuration but it does not work with WebFlux due to the reasons @rwinch mentioned.

The bug exists in Spring Boot 2.2.x so it would be good to get a fix in Spring Framework 5.2.x.

@mbhave mbhave mentioned this issue Dec 10, 2020
Closed
@rstoyanchev rstoyanchev self-assigned this Dec 14, 2020
@rstoyanchev rstoyanchev added this to the 5.3.3 milestone Dec 14, 2020
@rstoyanchev rstoyanchev added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement labels Dec 14, 2020
@rstoyanchev
Copy link
Contributor

I'm scheduling tentatively for 5.3.x but I don't know yet how this will be addressed. The most obvious way to address this is to map the request to a target handler but performing full request mapping twice per request is hardly a good place to be. Either we can find a more optimal way to do it, or it is worth questioning whether we have the right approach to begin with.

@rstoyanchev rstoyanchev removed the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 11, 2021
@rstoyanchev rstoyanchev modified the milestones: 5.3.3, 5.3.4 Jan 11, 2021
rstoyanchev added a commit that referenced this issue Jan 29, 2021
@rstoyanchev
Improve handling for pre-flight requests
95752ef 
1. Update the HandlerMapping contract to state that CORS checks are expected
to be applied before returning a handler.

2. DispatcherHandler checks explicitly for pre-flight requests or CORS failed
requests and skips handling for both. Technically no change since
AbstractHandlerMapping already returns a NO_OP_HANDLER for those cases.
The purpose however is for the DispatcherHandler to also guarantee more
explicitly that no such handling can take place for such cases.

As one consequence, this makes it possible to invoke the DispatcherHandler from
anywhere in the WebFilter chain in order to "handle" a pre-flight request, and
then skip the rest of the WebFilter chain.

See gh-26257
@rstoyanchev rstoyanchev changed the title Extract WebFlux CORS configuration into a CorsConfigurationSource Provide API to Expose the Handling of PreFlight Requests in WebFlux Feb 15, 2021
@rstoyanchev
Copy link
Contributor

DispatcherHandler now implements PreFlightRequestHandler which can be invoked earlier during request handling since all it involves is finding the target handler and applying the CORS config. It does not invoke the target handler. This allows Spring Security to handle pre-flight requests through WebFlux from the filter chain, prior to authorization, and without the need to delegate to the rest of the filter chain.

@sync-by-unito sync-by-unito bot mentioned this issue Feb 17, 2021
Merged
This was referenced Mar 7, 2021
Open
Closed
Closed
Open
Open
Closed
Open
Open
Merged
Open
Open
Open
Closed
Merged
This was referenced Mar 13, 2021
Merged
Closed
Open
Open
Merged
Open
Open
Merged
Open
Open
Merged
Open
Open
Open
Open
Open
@mbhave mbhave mentioned this issue Apr 30, 2021
Closed
@rwinch rwinch mentioned this issue Apr 30, 2021
Closed
lxbzmy pushed a commit to lxbzmy/spring-framework that referenced this issue Mar 26, 2022
@rstoyanchev @lxbzmy
Expose DispatcherHandler as PreFlightRequestHandler
fcd5af1 
Closes spring-projectsgh-26257
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.4
Development

No branches or pull requests
4 participants
@rwinch @rstoyanchev @mbhave @spring-projects-issues