CORS handling

Some relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives for handling that.

Java Servlet Container

At least Jetty and Tomcat have their own Filter implementations for handling CORS requests:

Spring CORS Configuration

Spring provides a native/proprietary mechanism for supporting this. A global bean called shibboleth.CorsConfigurations may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL tree (e.g., /oidc/token correponds with https://idp.example.org/idp/profile/oidc/token).

By default, the map is not defined and thus Spring doesn’t provide any CORS handling.

The following example contains an example that activates the Spring CORS handling for the OP plugin’s token -endpoint:

<util:map id="shibboleth.CorsConfigurations" value-type="org.springframework.web.cors.CorsConfiguration"> <entry key="/oidc/token"> <bean class="org.springframework.web.cors.CorsConfiguration" p:allowedOrigins="http://localhost:8080,http://localhost:8081" p:allowedMethods="POST" p:allowedHeaders="Authorization" p:maxAge="1800" /> </entry> </util:map>

This enables the CORS pre-flight request handling from two example origins, when the HTTP request header Access-Control-Request-Method is set to POST.

Debugging

The debug-logging of the Spring class org.springframework.web.cors.DefaultCorsProcessor is useful for debugging why the pre-flight requests may fail.

Some examples of log-lines when the pre-flight request has not been compatible with the shibboleth.CorsConfiguration:

2024-05-31 13:37:29,843 - DEBUG [org.springframework.web.cors.DefaultCorsProcessor:119] - Reject: 'http://localhost:8082' origin is not allowed

 

2024-05-31 13:37:57,109 - DEBUG [org.springframework.web.cors.DefaultCorsProcessor:127] - Reject: HTTP 'GET' is not allowed