[Bug 63937] New: CORS preflight request not possible on authenticated endpoints

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63937

            Bug ID: 63937
           Summary: CORS preflight request not possible on authenticated
                    endpoints
           Product: Tomcat 9
           Version: 9.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: micha...@apache.org
  Target Milestone: -----

Consider the following web.xml snippet:

> <filter>
>       <filter-name>apiCorsFilter</filter-name>
>       <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>       <init-param>
>               <param-name>cors.allowed.origins</param-name>
>               <param-value>https://...</param-value>
>       </init-param>
>       <init-param>
>               <param-name>cors.exposed.headers</param-name>
>               
> <param-value>Correlation-Id,Content-Length,Content-Disposition,Location</param-value>
>       </init-param>
>       <init-param>
>               <param-name>cors.support.credentials</param-name>
>               <param-value>true</param-value>
>       </init-param>
> </filter>
> <filter-mapping>
>       <filter-name>apiCorsFilter</filter-name>
>       <url-pattern>/api/*</url-pattern>
> </filter-mapping>
> 
> <security-constraint>
>       <web-resource-collection>
>               <web-resource-name>Authenticated REST 
> Services</web-resource-name>
>               <url-pattern>/api/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint>
>               <role-name>...</role-name>
>       </auth-constraint>
> </security-constraint>

A CORS preflight will fail with 401 because a configured authenticator will
kick in before the CORS filter.

According to https://fetch.spec.whatwg.org/#http-responses and
https://fetch.spec.whatwg.org/#ref-for-credentials%E2%91%A5 regardless of the
browser config with fetch/XHR API and credentials in "include" mode, all
preflight requests are anonymous by default.

You may Google for "cors preflight bypass authentication". The solutions on the
web, by omitting OPTIONS with <http-method-omission /> as in
https://developer.ibm.com/answers/questions/405007/is-it-possible-to-exclude-http-options-method-from/,
are incomplete and pose a security risk.
Consider that a client issues a regular OPTIONS request not related to CORS and
no credentials are passed you will not able to properly serve the "Allow"
header if you enforce some kind of ACLs on your resources.

My proposal is to add a boolean property to AuthenticatorBase which will detect
a CORS preflight request and bypass authentication, but all other OPTIONS
requests will require authentication as before.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org