[Bug 62585] New: CorsFilter `supportsCredentials` and `anyOriginAllowed` cannot co-exist

Tue, 31 Jul 2018 00:54:00 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62585

            Bug ID: 62585
           Summary: CorsFilter `supportsCredentials` and
                    `anyOriginAllowed` cannot co-exist
           Product: Tomcat 8
           Version: 8.5.32
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

*Steps to reproduce*
I have CorsFitler used in some of my webapps:

> <filter>
>       <filter-name>cors</filter-name>
>       <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>       <init-param>
>               <param-name>cors.allowed.origins</param-name>
>               <param-value>*</param-value>
>       </init-param>
>       <!-- ... -->
>       <init-param>
>               <param-name>cors.support.credentials</param-name>
>               <param-value>false</param-value>
>       </init-param>
> </filter>


*Actual Result*
After upgrading Tomcat from 8.5.23 to 8.5.32, some of my webapps were failed to
start. the root cause in error log says:

> It is not allowed to configure supportsCredentials=[true] when 
> allowedOrigins=[*]

By viewing source, I found that the error was caused by a change in CorsFilter,
more specifically, the following lines:

> if (this.supportsCredentials && this.anyOriginAllowed) {
>    throw new 
> ServletException(sm.getString("corsFilter.invalidSupportsCredentials"));
> }


*Expected Result*
I know 'Access-Control-Allow-Origin: *' and 'Access-Control-Allow-Credentials:
true' MUST NOT co-exist, but parameter allowedOrigins is server configuration
concept and doesn't fully correspond to response header
Access-Control-Allow-Origin.

I think the change is not neccessary even in name of security, SSL certificates
may have a wildcard common name, it doesn't make sense that Tomcat suddenly
restrict a specific list of allowedOrigins to support credentials.

Think about such a scenario:
+ You want to share your REST resources with any other origin
+ You want to support credentials

What should I do? to fork CorsFilter and write a new one? or to ask for
reverting the change, as what I'm doing now?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to