Skip to content

improve logging of DefaultCorsProcessor for rejected headers [SPR-15708] #20265

Closed
@spring-projects-issues

Description

@spring-projects-issues

shorn tolley opened SPR-15708 and commented

The DefaultCorsProcessor rejects quietly when various conditions aren't met. This leads to confusion when trying to set up CORS handling with spring web/security.

In my situation, I didn't have the correct "allowedHeaders" configuration for a pre-flight request.
This lead to me thinking the eventual "403" error had something to do with my authentication and authorization chain.

It would be helpful if this piece of code were refactored slightly to add a debug/trace message to tell the developer the fact that the request is being rejected because of a CORS issue (and why).

This is important because people often do auth + CORS at the same time - especially when implementation a Single-Page-Application. They'll hit CORS issues straight away when they start developing and the CORS config problems tend to get confused with auth config problems.

I'd be happy to submit a pull request if you think this functionality would be good to have.


Affects: 4.3.7, 4.3.8, 4.3.9, 5.0 GA

Reference URL: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java#L130

Referenced from: commits 9901c38

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions