CORS handling
Some relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives for handling that.
Java Servlet Container
At least Jetty and Tomcat have their own Filter implementations for handling CORS requests:
Jetty: https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/servlets/CrossOriginFilter.html
Example filter configuration for web.xml: Cross-origin AJAX requests for Shib-protected resources
Tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
Spring CORS Configuration
Spring provides a native/proprietary mechanism for supporting this. A global bean called shibboleth.CorsConfigurations
may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL tree (e.g., /oidc/token
correponds with https://idp.example.org/idp/profile/oidc/token
).
By default, the map is not defined and thus Spring doesn’t provide any CORS handling.
The following example contains an example that activates the Spring CORS handling for the OP plugin’s token -endpoint:
<util:map id="shibboleth.CorsConfigurations" value-type="org.springframework.web.cors.CorsConfiguration">
<entry key="/oidc/token">
<bean class="org.springframework.web.cors.CorsConfiguration"
p:allowedOrigins="http://localhost:8080,http://localhost:8081"
p:allowedMethods="POST"
p:allowedHeaders="Authorization"
p:maxAge="1800" />
</entry>
</util:map>
This enables the CORS pre-flight request handling from two example origins, when the HTTP request header Access-Control-Request-Method
is set to POST
.
Debugging
The debug-logging of the Spring class org.springframework.web.cors.DefaultCorsProcessor
is useful for debugging why the pre-flight requests may fail.
Some examples of log-lines when the pre-flight request has not been compatible with the shibboleth.CorsConfiguration:
2024-05-31 13:37:29,843 - DEBUG [org.springframework.web.cors.DefaultCorsProcessor:119] - Reject: 'http://localhost:8082' origin is not allowed
Â
2024-05-31 13:37:57,109 - DEBUG [org.springframework.web.cors.DefaultCorsProcessor:127] - Reject: HTTP 'GET' is not allowed