0

For my current project I use Spring Lemon library with 1.0.0.RC1 version. When I make an /api/core/context request I don't get Set-Cookie and X-XSRF-TOKEN headers.

For my earlier projects I used Spring Lemon 0.9.0 and it worked perfectly, after a context request I could set these parameters and make more requests. Now can't get them, and if I make any request other than /context or /ping I get "Invalid CORS request" as response.

My code is just like the sample project here: https://github.com/naturalprogrammer/spring-lemon/wiki/Getting-Started-With-Spring-Lemon with two changes:

  1. I use application.properties instead of yml. (Later I want it outside of the package and @PropertySource works with .properties only.)
  2. I use war packaging instead of jar. I deploy it into an Apache Tomcat. So, in the application.properties I changed lemon.cors.allowed-origins: http://localhost:9000 to lemon.cors.allowed-origins: http://localhost:8080

Log after a context request: 

2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 5 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
2019-01-06 10:44:41 DEBUG AntPathRequestMatcher:176 - Checking match of request : '/api/core/context'; against '/oauth2/authorization/{registrationId}'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 6 of 14 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2019-01-06 10:44:41 DEBUG AndRequestMatcher:66 - Trying to match using Ant [pattern='/login/oauth2/code/*']
2019-01-06 10:44:41 DEBUG AntPathRequestMatcher:176 - Checking match of request : '/api/core/context'; against '/login/oauth2/code/*'
2019-01-06 10:44:41 DEBUG AndRequestMatcher:69 - Did not match
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 7 of 14 in additional filter chain; firing Filter: 'LemonJpaTokenAuthenticationFilter'
2019-01-06 10:44:41 DEBUG LemonCommonsWebTokenAuthenticationFilter:42 - Inside LemonTokenAuthenticationFilter ...
2019-01-06 10:44:41 DEBUG LemonCommonsWebTokenAuthenticationFilter:70 - Token authentication skipped
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 8 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-01-06 10:44:41 DEBUG AntPathRequestMatcher:156 - Request 'GET /api/core/context' doesn't match 'POST /api/core/login'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-01-06 10:44:41 DEBUG AnonymousAuthenticationFilter:100 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@8a1370cd: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-01-06 10:44:41 DEBUG FilterChainProxy:328 - /api/core/context at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-01-06 10:44:41 DEBUG RequestMappingHandlerMapping:420 - Mapped to public java.util.Map<java.lang.String, java.lang.Object> com.naturalprogrammer.spring.lemon.LemonController.getContext(java.util.Optional<java.lang.Long>,javax.servlet.http.HttpServletResponse)
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:219 - Secure object: FilterInvocation: URL: /api/core/context; Attributes: [permitAll]
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:348 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@8a1370cd: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-01-06 10:44:41 DEBUG AffirmativeBased:66 - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@33757a2b, returned: 1
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:243 - Authorization successful
2019-01-06 10:44:41 DEBUG FilterSecurityInterceptor:256 - RunAsManager did not change Authentication object
2019-01-06 10:44:41 DEBUG FilterChainProxy:313 - /api/core/context reached end of additional filter chain; proceeding with original chain
2019-01-06 10:44:41 DEBUG DispatcherServlet:90 - GET "/CSGOStats/api/core/context", parameters={}
2019-01-06 10:44:41 DEBUG RequestMappingHandlerMapping:420 - Mapped to public java.util.Map<java.lang.String, java.lang.Object> com.naturalprogrammer.spring.lemon.LemonController.getContext(java.util.Optional<java.lang.Long>,javax.servlet.http.HttpServletResponse)
2019-01-06 10:44:41 DEBUG OpenEntityManagerInViewInterceptor:86 - Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2019-01-06 10:44:41 DEBUG LemonController:84 - Getting context 
2019-01-06 10:44:41 DEBUG JpaTransactionManager:355 - Found thread-bound EntityManager [SessionImpl(631661686<open>)] for JPA transaction
2019-01-06 10:44:41 DEBUG LemonService:179 - Getting context ...
2019-01-06 10:44:41 DEBUG LemonController:86 - Returning context: {context={reCaptchaSiteKey=6LdwxRcUAAAAABkhOGWQXhl9FsR27D5YUJRuGzx0, shared={foobar=123...}}, user=null}
2019-01-06 10:44:41 DEBUG RequestResponseBodyMethodProcessor:267 - Using 'application/json;q=0.8', given [text/html, application/xhtml+xml, image/webp, image/apng, application/xml;q=0.9, */*;q=0.8] and supported [application/json, application/*+json, application/json, application/*+json]
2019-01-06 10:44:41 DEBUG RequestResponseBodyMethodProcessor:90 - Writing [{context={reCaptchaSiteKey=6LdwxRcUAAAAABkhOGWQXhl9FsR27D5YUJRuGzx0, shared={foobar=123...}}, user=null}]
2019-01-06 10:44:41 DEBUG HstsHeaderWriter:129 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@47453fa7
2019-01-06 10:44:41 DEBUG OpenEntityManagerInViewInterceptor:111 - Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2019-01-06 10:44:41 DEBUG EntityManagerFactoryUtils:418 - Closing JPA EntityManager
2019-01-06 10:44:41 DEBUG DispatcherServlet:1130 - Completed 200 OK
2019-01-06 10:44:41 DEBUG ExceptionTranslationFilter:121 - Chain processed normally
2019-01-06 10:44:41 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed

What am I missing? Thanks in advance!

Siriann
  • 405
  • 1
  • 6
  • 16
  • You probably want to use https://stackoverflow.com/posts/54060371/edit to edit/update the question and paste in the exact error message the browser is logging in the devtools console. And you’ll likely get better guidance if you also check the HTTP status code of the response — is it a 4xx or 5xx status code instead of a 200 OK? — and if you indicate in the question whether it’s response to a CORS preflight OPTIONS request or else a response to the actual GET or POST or whatever request from your frontend code. You may also want to show the actual frontend code that’s making the request. – sideshowbarker Jan 06 '19 at 11:30

1 Answers1

1

After 0.9.0, Spring Lemon was changed to become stateless. In other words, now every authenticated request would have an Authorization token along with it, abolishing the need of CSRF protection. So, it was thought to disable CSRF for the sake of simplicity.

If you still need to enable CSRF, you could extend LemonJpaSecurityConfig and override the csrf method. You may also need to many more customization -- I'm not sure what all exactly.

CORS would be a different issue, and I've no idea what could be the reason.

Sanjay
  • 8,755
  • 7
  • 46
  • 62