Missing CORS headers defined in SockJS CORS configuration

[stnor]

Affects: 5.2.0

---

I tried to bump Spring and Spring Sec boms to 5.2.0.RELEASE (from 5.1.6.RELEASE, Spring Sec 5.1.5.RELEASE) and ended up with CORS issues:

Access to XMLHttpRequest at 'https://ws.something.com/ws/info?t=1571689325027' from origin 'https://something.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
something.d4e1dbafa8d1cd4d94b8.js:1 Stomp connect error. Whoops! Lost connection to https://ws.something.com/ws

Headers returned (5.1.6) from the /ws/info endpoint:

access-control-allow-credentials: true
access-control-allow-origin: https://something.com
cache-control: no-store, no-cache, must-revalidate, max-age=0
content-encoding: gzip
content-type: application/json;charset=UTF-8
date: Mon, 21 Oct 2019 21:11:08 GMT
status: 200
vary: Origin,Accept-Encoding

Headers returned (5.2.0) from the /ws/info endpoint.

cache-control: no-store, no-cache, must-revalidate, max-age=0
content-encoding: gzip
content-type: application/json;charset=UTF-8
date: Mon, 21 Oct 2019 20:22:15 GMT
status: 200
vary: Accept-Encoding

Config:

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractSessionWebSocketMessageBrokerConfigurer {

    @Autowired
    private JwtAuthenticationWebsocketChannelInterceptorAdapter jwtAuthenticationWebsocketChannelInterceptorAdapter;

    @Bean
    public ServletServerContainerFactoryBean createWebSocketContainer() {
        ServletServerContainerFactoryBean container = new ServletServerContainerFactoryBean();
        container.setMaxTextMessageBufferSize(2048);
        container.setMaxBinaryMessageBufferSize(2048);
        return container;
    }

    @Override
    protected void configureStompEndpoints(StompEndpointRegistry registry) {
        registry.addEndpoint("/ws")
                .setAllowedOrigins("*")
                .withSockJS()
                .setClientLibraryUrl("https://cdnjs.cloudflare.com/ajax/libs/sockjs-client/1.1.4/sockjs.min.js");
    }

    @Override
    public void configureMessageBroker(MessageBrokerRegistry config) {
        config.setApplicationDestinationPrefixes("/ws");
        config.enableSimpleBroker("/topic", "/queue", "/user");
    }

    @Override
    public void configureClientInboundChannel(ChannelRegistration registration) {
        registration.interceptors(jwtAuthenticationWebsocketChannelInterceptorAdapter);
    }

}

No other changes to the application than the version bump.

[stnor]

It seems like org.springframework.web.servlet.handler.AbstractHandlerMapping#getHandler doesn't add the SockJS CorsConfiguration to the chain anymore. @sdeleuze ?

See AbstractSockJsService#getCorsConfiguration

d27b5d0

[kuzzan]

We're seeing similar issues.

[jbrokamp]

I have been looking into this as well. The new issue seems to revolve around this method: AbstractHandlerMapping#getHandler.

The first line of that method, AbstractHandlerMapping#getHandlerInternal, always returns a wrapped HandlerExecutionChain instance of the actual handler. The wrapped handler, not the SockJsHttpRequestHandler itself, is passed into a new method.

The new method was introduced in 5.2 AbstractHandlerMapping#hasCorsConfigurationSource
Pre 5.2 there was simply a check if the Origin header was present or not. This is why the CorsInterceptor, which would add the headers to the response, is not added anymore to the handler!

@stnor, does this fully cover your case as well?

@sdeleuze, I've created a PR #23868 to resolve the situation I described above. I recursively call the method with the actual handler if the 'handler' is actually the HandlerExecutionChain. Merge it if you like the solution.

edit:
As a workaround, downgrade spring-webmvc to latest 5.1 seems to work fine in our particular setup, while still working with other spring 5.2 dependencies.
When using spring-boot, also need to downgrade spring-boot-autoconfigure for compatibility with the 5.1 spring-webmvc.

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-autoconfigure</artifactId>
            <version>2.1.9.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>5.1.10.RELEASE</version>
        </dependency>

[stnor]

@jbrokamp I wasn't able to build your fork and deploy to the local repo for some reason.