Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Actuator doesn't use the CORS Configuration with default security configuration and Spring Webflux #24541

Closed
mbhave opened this issue Dec 16, 2020 · 3 comments
Closed

Actuator doesn't use the CORS Configuration with default security configuration and Spring Webflux #24541

mbhave opened this issue Dec 16, 2020 · 3 comments
Labels
type: bug A general bug
Milestone
2.4.6

Comments

@mbhave
Copy link
Contributor

mbhave commented Dec 16, 2020

See #11987 (comment)
@mbhave mbhave added this to the 2.3.x milestone Dec 16, 2020
@mbhave mbhave added type: bug A general bug status: blocked An issue that's blocked on an external project change labels Dec 16, 2020
@mbhave
Copy link
Contributor Author

mbhave commented Apr 30, 2021

Moving to 2.4.x as the fix for this is in Spring Framework 5.3.x

@mbhave mbhave modified the milestones: 2.3.x, 2.4.x Apr 30, 2021
@rwinch rwinch mentioned this issue Apr 30, 2021
Closed
@mbhave
Copy link
Contributor Author

mbhave commented Apr 30, 2021
edited
Loading

It is currently blocked on Spring Framework adding a PreflightWebFilter and Spring Security then adding something in the DSL. The current workaround is to configure a custom security configuration as follows:

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, PreFlightHandler handler) throws Exception {
        http.authorizeExchange((exchanges) -> {
            exchanges.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
            exchanges.anyExchange().authenticated();
        });
        http.addFilterAt((e,c) -> {
            if (CorsUtils.isPreFlightRequest(e.getRequest())) {
                return handler.handlePreFlight(e);
            } else {
                return c.filter(e);
            }
        }, SecurityWebFiltersOrder.CORS);
        http.httpBasic(Customizer.withDefaults());
        http.formLogin(Customizer.withDefaults());
        return http.build();
    }
}

@philwebb
Copy link
Member

The framework change is in but Spring Security issue spring-projects/spring-security#9703 is still open. We can make this work in 2.4.x then make it pretty when the security issue is fixed.

@philwebb philwebb removed the status: blocked An issue that's blocked on an external project change label May 19, 2021
@mbhave mbhave mentioned this issue May 19, 2021
Closed
@mbhave mbhave closed this as completed in 27fee5f May 19, 2021
@mbhave mbhave modified the milestones: 2.4.x, 2.4.6 May 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
2.4.6
Development

No branches or pull requests
2 participants
@philwebb @mbhave