Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Response header Vary since Spring Security 6.2.0 #15378

Closed
renetrefft opened this issue Jul 8, 2024 · 6 comments · Fixed by #15444
Closed

Response header Vary since Spring Security 6.2.0 #15378

renetrefft opened this issue Jul 8, 2024 · 6 comments · Fixed by #15444
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: bug A general bug
Milestone
6.2.6

Comments

@renetrefft
Copy link

renetrefft commented Jul 8, 2024
edited
Loading

After upgrading from Spring Boot 3.1.* to Spring Boot 3.2.0 which includes Spring Security 6.2.0, responses of REST services provided by @Controller classes have Vary headers if org.springframework.boot:spring-boot-starter-security is in classpath.

Is this intended? We immediately noticed this change since our CDN Akamai does not cache responses with this header.
@renetrefft renetrefft added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 8, 2024
@malaquf
Copy link

malaquf commented Jul 18, 2024
edited
Loading

Hi @renetrefft , we also noticed this issue and I believe this is the commit that introduces it. Now CorsFilter is configured by default if CorsConfigurationSource is present.

@malaquf
Copy link

malaquf commented Jul 18, 2024

I believe this side effect is not intended, as HandlerMappingIntrospector implements CorsConfigurationSource and is instantiated by default by WebMvcConfigurationSupport in spring boot auto configure.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 18, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Jul 18, 2024

I agree that this is likely not the intent. It may be best for Spring Security to be more conservative for the time being and pick up only UrlBasedCorsConfigurationSource instances.

@jzheaux jzheaux added this to the 6.2.6 milestone Jul 18, 2024
@baezzys
Copy link
Contributor

baezzys commented Jul 19, 2024

Hi @jzheaux I'd like to contribute to this issue. Can I work on it?

@baezzys baezzys mentioned this issue Jul 21, 2024
Merged
@marcusdacoregio
Copy link
Contributor

Closed via 3d4bcf1

@marcusdacoregio marcusdacoregio added the status: duplicate A duplicate of another issue label Jul 29, 2024
@piotrooo
Copy link

I think this change should be interpreted as a breaking change since, after the update from 3.3.2 to 3.3.3, it is no longer working.

FYI @marcusdacoregio, @baezzys and @jzheaux

@Configuration
public class CorsWebConfiguration implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/web/**")
                .allowedOriginPatterns("https://*.example.com")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD");
    }
}

@mgocd mgocd mentioned this issue Sep 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
6.2.6
Development

Successfully merging a pull request may close this issue.

Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource
6 participants
@piotrooo @malaquf @jzheaux @renetrefft @marcusdacoregio @baezzys