Skip to content

Allow OPTIONS requests without authentication for CORS preflight

Gandalf Schwientek requested to merge bytewizard/fc-service:feature/allow-options-request into main

Allow OPTIONS Requests Without Authentication in Accordance with Prefligth requests

Table of Contents

  1. Introduction
  2. Intension
  3. Implementation
  4. Testing
  5. Conclusion
  6. TL;DR

Introduction

This change modifies the Spring Security configuration to allow OPTIONS requests without authentication, aligning with the standards for Cross-Origin Resource Sharing (CORS) and the behavior of preflight requests as implemented in most modern browsers.

Intension

According to the CORS specification and the MDN documentation on CORS, preflight requests (sent as OPTIONS requests) are used to check whether the cross-origin request is safe, and should not require authentication as they only verify the HTTP methods and headers to be used in the actual request.

The current implementation of the fc-service project requires authentication for all requests, including OPTIONS requests. This contradicts the aforementioned standards and can cause issues with browsers that correctly implement these standards. This is a problem in cases where the Frontend is hosted on a different domain than the backend service. For now, the backend services allow requests from other domains by setting the CORS policy to * in WebConfiguration.class but this is insufficient because the preflight requests from the browser are sent without authorization to check whether or not an authorized request is valid.

The proposed change makes our application compliant with the CORS standards.

Implementation

In order to modify the application in this way that on all routes OPTION request are allowed without authentication we only modified the SecurityConfig.class. In the Filter we added the exeption for the OPTIONS request type.

.requestMatchers(anyMatcher(HttpMethod.OPTIONS, "/**")).permitAll()

This will result in any request with type OPTIONS are allowed without authentication or authorization.

Testing

This change has been tested and verified to achieve the desired behavior and should have no negative impact on the application's security as it merely adheres to the standards for CORS and preflight requests.

Nevertheless, we encourage you to test it yourself or make suggestions on this topic as well.

TL;DR

This change allows OPTIONS requests without authentication, aligning with CORS standards and preflight request behavior in modern browsers, which should not require authentication.

Merge request reports

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent