Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Enable Spring MVC's CORS-handling features

Description

The base class for Spring MVC HandlerMapping implementations (org.springframework.web.servlet.handler.AbstractHandlerMapping) provides functionality to handle CORS requests. They can't currently be used as the beans are initialised in the mvc-beans.xml file residing in the idp-conf-impl JAR. For instance:

<bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:order="0" p:flowRegistry-ref="flowRegistry"> <property name="flowUrlHandler"> <bean class="net.shibboleth.idp.profile.support.PathInfoSupportingFlowUrlHandler" p:supportedFlows="#{getObject('shibboleth.RESTFlows') ?: getObject('shibboleth.DefaultRESTFlows')}" /> </property> </bean>

The bean could be initialised with a configurable corsConfigurationSource -property in order to activate the CORS handling for the desired endpoints.

Environment

None

Confluence content

mentioned on

Activity

Show:

Henri MikkonenMarch 17, 2022 at 11:36 AM

The bean shibboleth.CorsConfiguration is now injected to the FlowHandlerMapping. If the bean is null / non-existing, the behaviour should remain as before injecting the bean. If it's set, it's supposed to be a map of CorsConfigurations.

For instance:

<util:map id="shibboleth.CorsConfigurations" value-type="org.springframework.web.cors.CorsConfiguration"> <entry key="/oidc/userinfo"> <bean class="org.springframework.web.cors.CorsConfiguration" p:allowedOrigins="http://localhost:8080,http://localhost:8081" p:allowedMethods="GET,POST" p:allowedHeaders="Authorization" p:maxAge="1800" /> </entry> </util:map>

The keys in the map correspond to the locations under the <context>/profile URL space.

Henri MikkonenFebruary 25, 2022 at 2:52 PM

The simplest and so far the best way to enable configurable CORS support seems to be to refer to a configurable map of CorsConfigurations in the FlowHandlerMapping bean:

<bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:order="0" p:flowRegistry-ref="flowRegistry" p:corsConfigurations="#{getObject('shibboleth.CorsConfigurations')}"> <property name="flowUrlHandler"> <bean class="net.shibboleth.idp.profile.support.PathInfoSupportingFlowUrlHandler" p:supportedFlows="#{getObject('shibboleth.RESTFlows') ?: getObject('shibboleth.DefaultRESTFlows')}" /> </property> </bean>

The bean/object shibboleth.CorsConfigurations can be null or undefined. In that case the functionality is the same as without having the property set at all.

The map could then be defined for instance in the global beans in the following way:

<util:map id="shibboleth.CorsConfigurations" value-type="org.springframework.web.cors.CorsConfiguration"> <entry key="/oidc/userinfo"> <bean class="org.springframework.web.cors.CorsConfiguration" p:allowedOrigins="http://localhost:8080,http://localhost:8081" p:allowedMethods="GET" p:allowedHeaders="Authorization" p:maxAge="1800" /> </entry> </util:map>

Do we want to support other handlers mapping in addition to the Web Flow handler? So far I’ve only tested this with the web flows: in that case they keys (URLs) in the configuration map seems to refer to the values after /profile -prefix, under the idp context.

Henri MikkonenFebruary 23, 2022 at 4:35 PM

The following snippet activates the Spring CORS-handling with default settings (CorsConfiguration.applyPermitDefaultValues()) to the OIDC OP’s userinfo endpoint

 

<bean id="corsConfiguration" class="org.springframework.web.cors.CorsConfiguration"/> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="targetObject" ref="corsConfiguration" /> <property name="targetMethod" value="applyPermitDefaultValues" /> </bean> <bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource"/> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="targetObject" ref="corsSource" /> <property name="targetMethod" value="registerCorsConfiguration" /> <property name="arguments"> <list> <bean class="java.lang.String" c:original="/oidc/userinfo"/> <ref bean="corsConfiguration"/> </list> </property> </bean> <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerMapping" p:order="0" p:flowRegistry-ref="flowRegistry"> <property name="flowUrlHandler"> <bean class="net.shibboleth.idp.profile.support.PathInfoSupportingFlowUrlHandler" p:supportedFlows="#{getObject('shibboleth.RESTFlows') ?: getObject('shibboleth.DefaultRESTFlows')}" /> </property> <property name="corsConfigurationSource"> <ref bean="corsSource"/> </property> </bean>

 

curl pre-flight example after the setup above:

 

curl -H "Origin: http://localhost" -H "Access-Control-Request-Method: GET" -X OPTIONS --verbose https://server.local/idp/profile/oidc/userinfo ... > OPTIONS /idp/profile/oidc/userinfo HTTP/1.1 > Host: server.local > User-Agent: curl/7.64.1 > Accept: */* > Origin: http://localhost > Access-Control-Request-Method: GET > < HTTP/1.1 200 OK < Date: Wed, 23 Feb 2022 16:33:08 GMT ... < Access-Control-Allow-Origin: * < Access-Control-Allow-Methods: GET,HEAD,POST < Access-Control-Max-Age: 1800 < Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH < Content-Length: 0 < Set-Cookie: JSESSIONID=node0m41pazehxk5gxxvhzpso3i1r4.node0;Path=/idp;Secure;HttpOnly < Access-Control-Allow-Origin: *
Done

Details

Assignee

Reporter

Components

Fix versions

Created February 23, 2022 at 4:31 PM
Updated October 17, 2024 at 4:33 PM
Resolved March 17, 2022 at 11:36 AM

Flag notifications