@Crossorigin Put Requests to association resources not working anymore [DATAREST-1581]

[spring-projects-issues]

Phil Webb opened DATAREST-1581 and commented

See spring-projects/spring-boot#22957 for background.

 

DATAREST-1535 makes @CrossOrigin annotations mandatory for PATCH and PUT methods. We've closed the original Boot issue so I'm opening this one to make sure it doesn't get lost

---

Issue Links:

• DATAREST-1535 Adapt to changes in Spring 5.3

Backported to: 3.4.2 (2020.0.2), 3.3.6 (Neumann SR6), 3.2.12 (Moore SR12)

[spring-projects-issues]

Greg Turnquist commented

Spring Framework 5.3 restricts default allowed methods to GET, HEAD, and POST. This means that PUT, PATCH, and any other methods previously supported must be deliberately activated.

You can see these changes applied in a957699

[spring-projects-issues]

Greg Turnquist commented

If you need to alter Cross Origin settings in your Spring Data REST application, CorsIntegrationTests provides the perfect example:

@Bean
RepositoryRestConfigurer repositoryRestConfigurer() {

	return RepositoryRestConfigurer.withConfig((config, cors) -> {

		cors.addMapping("/books/**") //
				.allowedMethods("GET", "PUT", "POST") //
				.allowedOrigins("http://far.far.example");
	});
}

This example tweaks the allowed methods to include PUT and sets what origins are allowed, all mapped to the relevant path

[spring-projects-issues]

Phil Webb commented

Did you see the note about the Javadoc? spring-projects/spring-boot#22957 (comment)

 

Does it need to be updated?

[spring-projects-issues]

Greg Turnquist commented

If so, sounds like a Spring Framework issue.

We do nothing custom but instead invoke Spring Web's CorsConfiguration.applyPermitDefaultValues

[spring-projects-issues]

Oliver Drotbohm commented

But shouldn't we assume different defaults given the fact that we know we want to support these additional HTTP methods on resources we expose?

[spring-projects-issues]

Greg Turnquist commented

I've investigated how to apply this but can't seem to see hows CorsIntegrationTest (spring-data-tests-jpa) has:

@Bean
RepositoryRestConfigurer repositoryRestConfigurer() {

	return RepositoryRestConfigurer.withConfig((config, cors) -> {

		cors.addMapping("/books/**") //
				.allowedMethods("GET", "PUT", "POST") //
				.allowedOrigins("http://far.far.example");
	});
}

When I update RepostoryRestMvcConfig with this:

@Bean
public <T extends RepositoryRestConfiguration & CorsConfigurationAware> T repositoryRestConfiguration() {

	ProjectionDefinitionConfiguration configuration = new ProjectionDefinitionConfiguration();

	// Register projections found in packages
	for (Class<?> projection : getProjections(repositories.get())) {
		configuration.addProjection(projection);
	}

	RepositoryCorsRegistry registry = new RepositoryCorsRegistry();

	WebMvcRepositoryRestConfiguration config = new WebMvcRepositoryRestConfiguration(configuration,
			new MetadataConfiguration(), new EnumTranslator(MessageResolver.DEFAULTS_ONLY), registry);

	registry //
			.addMapping(baseUri.or(new BaseUri("/")).toString()) //
			.allowedMethods("GET", "PUT", "POST");

	configurerDelegate.get().configureRepositoryRestConfiguration(config, registry);

	return (T) config;
}

...and comment out allowed methods, the test case still fails. So I have (yet) to figure out how to tweak the settings to plug in a different set of allowed methods

[spring-projects-issues]

Oliver Drotbohm commented

This should be in place. I've reinstated more extensive default allowed HTTP methods that were accidentally removed in the fix for DATAREST-1535