Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-16304

Access-Control-Allow-Origin header returns wrong value using SockJS

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Complete
    • 4.3.9
    • 4.3.14, 5.0.3
    • Messaging:WebSocket
    • None
    • true

    Description

      Example of websocket configuration using SockJS

      @Configuration
      @EnableWebSocketMessageBroker
      public class WebSocketAppConfig extends AbstractWebSocketMessageBrokerConfigurer {
      	
      	
      	@Override
      	public void registerStompEndpoints(StompEndpointRegistry registry) {
      		registry.addEndpoint("/ws").setAllowedOrigins("https://example.com").withSockJS();
      	}
      
      	@Override
      	public void configureMessageBroker(MessageBrokerRegistry config) {
      		config.enableSimpleBroker("/topic").setHeartbeatValue(new long[] {10000,10000}).setTaskScheduler(new DefaultManagedTaskScheduler());
      		config.setApplicationDestinationPrefixes("/app");
      	}
      	
      }
      

      When we set allowed origin to https://example.com and we make call to server let's say /ws/info/ with header (I will exclude others just to show example)

      Origin: https://another.example.com
      

      the server returns correctly Http status response 403 - forbidden.
      But it returns also

      Access-Control-Allow-Origin: https://another.example.com
      access-control-allow-credentials: true
      

      The issue is that incorrect origin was sent and it returns as allowed.

      I've found that

      AbstractSockJsService.getCorsConfiguration
      

      returns wildcard every time.
      The check is done in OriginHandshakeInterceptor.java but the headers are created in
      DefaultCorsProcessor.java - at line 121 -

      String allowOrigin = checkOrigin(config, requestOrigin);
      
      • which accepts configuration from AbstractSockJsService.getCorsConfiguration.

      (I assume this is occurring also on newer versions because I didn't find any problems regarding this topic)

      Attachments

        Activity

          People

            sdeleuze Sébastien Deleuze
            richardJ Richard Janík
            Spring Issues Spring Issues
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              3 years, 38 weeks, 1 day ago