quarkus: CORS should return correct headers even if an authorization header is wrong

Describe the bug When CORS is enabled and “authorization” header is present and incorrect (wrong username and/or password), CORS filter does not return proper headers and browser doesn’t even get HTTPS 401 because the response is rejected by the CORS policy.

Expected behavior I guess we should add CORS filter BEFORE security check.

Actual behavior Security (username/password) is verified before CORS even if endpoint contains @PermitAll annotation.

To Reproduce I created a small Quarkus+ReactJS application, you can clone it from here: https://github.com/belyaev-andrey/quarkus-security-cors, tested for localhost only.

  • Run quarkus backend by executing mvn compile quarkus:dev
  • Run ReactJS client by executing npm start in ./client folder
  • Open browser for http://localhost:3000 address
  • Click on Hello secured incorrect password button
  • See Access to fetch at 'http://localhost:8080/api/admin' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. log entry in browser’s console.
  • You can check that it doesn’t work for endpoints with anonymous access if you change line 16 in App.js file and use 'hello' endpoint instead of 'admin'.

Environment (please complete the following information):

  • Output of uname -a or ver: Microsoft Windows [Version 10.0.18362.10014]
  • Output of java -version:
java version "10.0.2" 2018-07-17
Java(TM) SE Runtime Environment 18.3 (build 10.0.2+13)
Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10.0.2+13, mixed mode)
  • GraalVM version (if different from Java): N/A
  • Quarkus version or git rev: 0.21.1

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 18 (12 by maintainers)

Most upvoted comments

If the access control headers are not set for 4xx responses, the status code will not be exposed in a browser application, effectively masking the actual error.

Most real world applications I’ve come across where CORS headers can be enabled will set the headers even for non-2xx responses. Amazon S3 is a good example: curl -v “https://eriks-testbucket.s3.eu-north-1.amazonaws.com/403.txt” -H “Origin: http://something

+2
sirf on Sep 5, 2019

Marking it as a Good First issue for Andrey or someone else from the community to verify the issue has been resolved and if not then consider a minor PR 😃. @belyaev-andrey Andrey, thanks for opening this issue in the 1st place

+1
sberyozkin on Nov 6, 2019

I’m using elytron, not keycloak, just for the sake of simplicity. And by not adding CORS headers in the second case the framework does not allow me to handle the response correctly in my ReactJS application because the browser just blocks it. That is the reason why I raised the issue. I’m OK with any response (401, 402, 410, 418, whatever) as soon as it is not blocked by the browser.

+1
belyaev-andrey on Aug 28, 2019

The response in 2nd case (with the wrong authorization header) is what I’d expect as well (this is a response from the Keycloak, right ?). Is it what the Quarkus CORS filter does as well ? IMHO it is correct by default, even if it is too strict. The 1st case can be tackled separately (I agree it is inconsistent, whichever way you look at it 😃 ).

+1
sberyozkin on Aug 27, 2019
Read more comments on GitHub
← quarkus: CORS Rejected Error on same-origin requests when CORS is enabled
quarkus: CORS with Ajax is not working well. →