fix: cors filter should not store in local variable allowed origins #4687

yurem · 2023-04-19T19:18:27Z

CorsFilter in doFilter method get allowed origins based on request and set them in AbstractCorsFilter.allowedOrigins before calling AbstractCorsFilter.doFilter. This is bad idea to pass them in such way because WebFilter is defined with asyncSupported = true. Hence second request can override this variable value. We can use:

request.setAttribute("clientAllowedOrigins", clientAllowedOrigins);

to pass client allowed origins to AbstractCorsFilter.doFilter

origins #4687

yurem self-assigned this Apr 19, 2023

yurem added a commit that referenced this issue Apr 19, 2023

fix: cors filter should not store in local variable allowed

9aa1a6a

origins #4687

mo-auto added the kind-bug Issue or PR is a bug in existing functionality label Apr 19, 2023

yuriyz pushed a commit that referenced this issue Apr 19, 2023

fix: cors filter should not store in local variable allowed (#4688)

0d99195

origins #4687

moabu added this to the 1.0.13 milestone May 1, 2023

This was referenced May 10, 2023

chore(main): release jans-core 1.0.13 #4940

Merged

chore(main): release jans-auth-server 1.0.13 #4941

Merged

moabu closed this as completed in #4941 May 10, 2023

mo-auto mentioned this issue Jul 12, 2023

chore(main): release jans-auth-server 1.0.15 #5496

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: cors filter should not store in local variable allowed origins #4687

fix: cors filter should not store in local variable allowed origins #4687

yurem commented Apr 19, 2023

fix: cors filter should not store in local variable allowed origins #4687

fix: cors filter should not store in local variable allowed origins #4687

Comments

yurem commented Apr 19, 2023