Spring Security Duplicate Vary headers after enabling CORS filter

Summary

I have noticed strange behavior when requesting a static resource with GET, while having the cors filter enabled in spring security. The problem is that the Vary headers get duplicated. This only happens, when the url gets mapped by SimpleUrlHandlerMapping to a request handler that implements CorsConfigurationSource, because then the AbstractHandlerMapping that the SimpleUrlHandlerMapping extends, injects a CorsInterceptor into the HandlerExecutionChain. This CorsInterceptor then uses a DefaultCorsProcessor to process the requests, which in turn automatically appends the Vary headers. The problem is that the CorsFilter in spring security also uses this DefaultCorsProcessor, so that's why the Vary headers get duplicated.

Actual Behavior

When using spring security and enabling the cors filter, static file responses contain duplicate Vary headers.

Expected Behavior

When using spring security and enabling the cors filter, static file responses contain unique Vary headers.

Configuration

• Spring Boot 2.2.6
• Spring Web 5.2.5
• Spring Security 5.2.2
• Java 8

Version

• Spring Security 5.2.2 This problem also happens when using Spring Boot 2.3.0 M3 with Spring Security 5.3.0

Sample

https://github.com/Moomba42/spring-boot-double-vary-headers/

Comment From: rwinch

Thanks for the report and the simple example to use.

Spring Security's support just ensures that Spring's CorsFilter is inserted in the correct order so that CORS processing happens before Spring Security's authorization checks. Spring Security doesn't do anything special here.

In fact, the issue also happens without Spring Security on the classpath. If you remove Spring Security and add CorsFilter as a Bean (just as Security does) the same error occurs:

@Bean
CorsFilter corsFilter(CorsConfigurationSource corsConfigurationSource) {
    return new CorsFilter(corsConfigurationSource);
}

I then see headers of:

curl -I 'localhost:8080/test.json'
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Tue, 31 Mar 2020 15:53:12 GMT
Accept-Ranges: bytes
Content-Type: application/json
Content-Length: 18
Date: Tue, 31 Mar 2020 15:53:18 GMT

You can find the code in my fork's no-security branch https://github.com/rwinch/spring-boot-double-vary-headers/tree/no-security

I'd suggest creating a new ticket with Spring Framework https://github.com/spring-projects/spring-framework/issues/new and include the simplified sample I provided.

Comment From: moomba42

Thank you for the fast reply, and a corrected branch! I'm linking the new ticket here for future reference: https://github.com/spring-projects/spring-framework/issues/24829