improve logging of DefaultCorsProcessor for rejected headers [SPR-15708] #20265
Assignees
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
Comments
|
Sébastien Deleuze commented Indeed, debug level logging could really help to debug such use case. Feel free to submit a pull request, if possible for both Spring MVC and Spring WebFlux (very similar classes, you will just have to duplicate the code). |
|
shorn tolley commented PR 1466 submitted. |
spring-projects-issues
added
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
shorn tolley opened SPR-15708 and commented
The DefaultCorsProcessor rejects quietly when various conditions aren't met. This leads to confusion when trying to set up CORS handling with spring web/security.
In my situation, I didn't have the correct "allowedHeaders" configuration for a pre-flight request.
This lead to me thinking the eventual "403" error had something to do with my authentication and authorization chain.
It would be helpful if this piece of code were refactored slightly to add a debug/trace message to tell the developer the fact that the request is being rejected because of a CORS issue (and why).
This is important because people often do auth + CORS at the same time - especially when implementation a Single-Page-Application. They'll hit CORS issues straight away when they start developing and the CORS config problems tend to get confused with auth config problems.
I'd be happy to submit a pull request if you think this functionality would be good to have.
Affects: 4.3.7, 4.3.8, 4.3.9, 5.0 GA
Reference URL: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/cors/DefaultCorsProcessor.java#L130
Referenced from: commits 9901c38
The text was updated successfully, but these errors were encountered: