tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 63937] New: CORS preflight request not possible on authenticated endpoints
Date Tue, 19 Nov 2019 10:15:11 GMT

            Bug ID: 63937
           Summary: CORS preflight request not possible on authenticated
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
  Target Milestone: -----

Consider the following web.xml snippet:

> <filter>
> 	<filter-name>apiCorsFilter</filter-name>
> 	<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
> 	<init-param>
> 		<param-name></param-name>
> 		<param-value>https://...</param-value>
> 	</init-param>
> 	<init-param>
> 		<param-name></param-name>
> 		<param-value>Correlation-Id,Content-Length,Content-Disposition,Location</param-value>
> 	</init-param>
> 	<init-param>
> 		<param-name></param-name>
> 		<param-value>true</param-value>
> 	</init-param>
> </filter>
> <filter-mapping>
> 	<filter-name>apiCorsFilter</filter-name>
> 	<url-pattern>/api/*</url-pattern>
> </filter-mapping>
> <security-constraint>
> 	<web-resource-collection>
> 		<web-resource-name>Authenticated REST Services</web-resource-name>
> 		<url-pattern>/api/*</url-pattern>
> 	</web-resource-collection>
> 	<auth-constraint>
> 		<role-name>...</role-name>
> 	</auth-constraint>
> </security-constraint>

A CORS preflight will fail with 401 because a configured authenticator will
kick in before the CORS filter.

According to and regardless of the
browser config with fetch/XHR API and credentials in "include" mode, all
preflight requests are anonymous by default.

You may Google for "cors preflight bypass authentication". The solutions on the
web, by omitting OPTIONS with <http-method-omission /> as in,
are incomplete and pose a security risk.
Consider that a client issues a regular OPTIONS request not related to CORS and
no credentials are passed you will not able to properly serve the "Allow"
header if you enforce some kind of ACLs on your resources.

My proposal is to add a boolean property to AuthenticatorBase which will detect
a CORS preflight request and bypass authentication, but all other OPTIONS
requests will require authentication as before.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message