Affects: Spring Framework 5.3>
Describe the bug Have a SimpleUrlMapping with CorsConfig passing all test for several months now. Am testing with Cors and am getting weird errors:
Caused by: java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:472)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:129)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:129)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:129)
at org.springframework.security.web.util.OnCommittedResponseWrapper.sendError(OnCommittedResponseWrapper.java:116)
at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:561)
at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:52)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
NOTE: Made sure to use CorsUtils.isCorsRequest(request) in a filter AFTER Cors to make sure it was a Cors request
The sendError appears to be from it not being able to find the mapping/resource which makes sense as it is supposed to use SimpleUrlHandlerMapping and not ResourceHttpRequestHandler
As stated earlier, when running tests without CORS, it is fine. Buts Cors seems to be OVERRIDING /DEFAULTING back to this.
Here is the definition of my SimpleUrlHandlerMapping:
SimpleUrlHandlerMapping mapping = new SimpleUrlHandlerMapping();
mapping.registerHandlers(urlMap)
mapping.setUrlMap(urlMap);
mapping.setOrder(Integer.MAX_VALUE - 2);
mapping.setInterceptors(new Object[]{new ApiInterceptor(throttleCacheService, exchangeService, batchService, chainService, traceExchangeService, apiProperties)})
mapping.setApplicationContext(context);
mapping.setCorsConfigurations(corsMap);
return mapping;
I have created a workaround by using a FORWARD to bypass and get expected behaviour and the SimpleUrlHandlerMapping handles it normally. This isn't acceptible for security however; it was just to pinpoint the error.
To Reproduce Can provide access to private repo
Expected behavior Expect SimpleUrlHandleMapping to handle errors and mapping and not default to another class that it is overriding
Sample Hard to boil down mapping, security, MVC to a minimal reproducible sample :) Let me know what YOU need
Comment From: bclozel
Given your description, it should not be too complicated to create a sample application reproducing the problem.
- create an app on start.spring.io
- create a
SimpleUrlHandlerMappingbean with the handler map as desired - set the cors configuration
- strip everything else, like the custom interceptor or the spring security dependency if it's not strictly required
- share this app, with a curl request and explain the behavior you were expecting
Comment From: orubel
well curl is not going to show the error as that won't generate the CORS error. Curl does not use CORS hence all curl tests pass. It is only when doing tests that require CORS (from a frontend) that we get errors.
I am in the middle of whittling everything down in the sample app and the starter and can supply that so that you can prop a frontend node server to test XHR requests with or something.
Comment From: bclozel
No need for a frontend node server - even if curl won't react to CORS headers, the request and response headers should be enough to diagnose the issue. We can't spend time diagnosing issues on complex setups - stripping as much as possible usually helps eliminating the noise or finding where the issue is.
Comment From: orubel
Um... nvm. I just tested with another endpoint and it worked great via CORS. This may be domain related (or something else). I am wasting ppls time again. :(
Comment From: bclozel
No worries, I hope you’ll find where the problem comes from!