search

Netflix / dgs-framework

GraphQL for Java with Spring Boot made easy.
https://netflix.github.io/dgs
Apache License 2.0
3.06k stars 295 forks source link

bug: CORS errors in frontend app only after updating to v6 (with SpringBoot 3) #1872

Closed vigenere23 closed 6 months ago

vigenere23 commented 6 months ago

Expected behavior

Frontend behaviour should not change. If a new CORS behaviour was implemented in v6, it should have been written in documentation.

It's really hard to know at which layer the problem occurs. Maybe it's a SpringBoot 3 / Spring 6 breaking change, but I haven't seen anything in their changelogs related to it. Maybe it's a graphql-java error.

Actual behavior

The OPTIONS request gets blocked on the browser.

Firefox error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8080/graphql. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 403

Chrome error:

Access to fetch at 'http://localhost:8080/graphql' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Steps to reproduce

Spring configuration:

@EnableWebSecurity
@EnableCaching
@EnableMethodSecurity
class WebSecurityConfiguration {

    @Bean
    fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http.cors().and()
            .csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .anyRequest()
            .permitAll()

        return http.build()
    }
}

DGS version : 6.0.5 Spring Boot : 3.0.6 Kotlin : 1.9.20 JVM target : 17

I have tried all the solutions in https://stackoverflow.com/questions/58026768/enable-cors-origin-graphql, and nothing works (properties change, adding manual CorsFilter or CorsConfigurationSource, adding a manual WebMvcConfigurer, etc.)

To your knowledge, has anything changed in DGS or Spring for the CORS policies?

vigenere23 commented 6 months ago

After further investigation, I now realize that this it due to a breaking change in Spring Security. I did not find any announcement about this, but @EnableWebSecurity (or another annotation) no longer includes the @Configuration annotation, which means that the SecurityFilterChain no longer gets automatically registered. Adding the configuration annotation fixed the problem. Sorry for the bothering.