https://bz.apache.org/bugzilla/show_bug.cgi?id=69131
Bug ID: 69131
Summary: allowCorsPreflight="filter" does not work with filter
mappings other than "/*" for the CorsFilter
Product: Tomcat 9
Version: 9.0.89
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: robert.rodew...@kopsis.com
Target Milestone: -----
As I understand the AuthenticatorBase attribute allowCorsPreflight it should
either always allow CORS preflight requests ("always"), never allow them
("never", default) or only if there is a CorsFilter filter mapping for the
current requested URI ("filter").
Looking at the code of the method allowCorsPreflightBypass(Request request) one
can see that ONLY the filter mapping "/*" allows the preflight request to
happen correctly. No other filter mappings does lead to the variable
allowBypass to be set to true. In my opinion this is wrong.
What if you configure your CorsFilter with the filter mapping "/api/*"? In this
case the preflight requests will never be allowed if you configure
allowCorsPreflight to "filter".
I think in the innermost loop there should be a check against the current
request URI to check if the CorsFilter is applied to the request. I can supply
a pull request, if there is agreement on this.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
