Details
-
Bug Report
-
Resolution: Fixed
-
L3 - Default
-
7.13.0
-
None
-
All modern browsers
Description
When both camunda.bpm.run.auth.enabled (e.g. recommended by production.yml CAM-11838) and camunda.bpm.run.cors.enabled , Camunda BPM Run CORS configuration is broken, which breaks browser clients: (this is even after the origin has been configured/whitelisted using camunda.bpm.run.cors.allowed-origins)
Access to XMLHttpRequest at 'https://camunda.example.com/engine-rest/process-definition/key/marketing.user.CloseAccount/start' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Specifically, the server returned 401 on (properly unauthenticated) preflight requests.
1. OPTIONS preflight requests require authentication
The W3 spec for CORS preflight requests clearly states that user credentials should be excluded. (see also: https://stackoverflow.com/a/15734032 )
Please exclude OPTIONS in the authentication filter.
2. OPTIONS response missing Access-Control-Allow-Credentials header
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Should be:
Access-Control-Allow-Credentials: true
Important: Access-Control-Allow-Credentials is mutually exclusive with:
Access-Control-Allow-Origin: *
(https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials), and this is enforced by org.apache.catalina.filters.CorsFilter#parseAndStore meaning that for proper CORS support, it is mandatory for the administrator to set allowed origins other than *.
3. OPTIONS response missing "Authorization" in Access-Control-Allow-Headers. And also (sent by Chrome) X-XSRF-Token, and just to be safe: X-CSRF-Token.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
Currently:
access-control-allow-headers: origin,x-requested-with,access-control-request-headers,content-type,access-control-request-method,accept
Should be:
access-control-allow-headers: origin,x-requested-with,access-control-request-headers,content-type,access-control-request-method,accept,authorization,x-xsrf-token,x-csrf-token
Current Workaround
- Not possible. Turning off authentication is not secure.
- The only workaround is to use a server-side proxy, e.g. Pipedream
Relevant source locations
- need to "make a hole" for OPTIONS: https://github.com/camunda/camunda-bpm-platform/blob/3db71adf7396dc052045d3f848f52e31e85b1405/distro/run/core/src/main/java/org/camunda/bpm/run/CamundaBpmRunRestConfiguration.java#L57
- need to exclude OPTIONS method: https://github.com/camunda/camunda-bpm-platform/blob/6fd62f5c7492b98f0187f0392dc1ea2a94342cda/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/security/auth/ProcessEngineAuthenticationFilter.java#L123
- https://github.com/camunda/camunda-bpm-platform/blob/3db71adf7396dc052045d3f848f52e31e85b1405/distro/run/core/src/main/java/org/camunda/bpm/run/CamundaBpmRunRestConfiguration.java#L72
Related to: CAM-11290, CAM-11838
Our experience with Camunda BPM Run: https://about.lovia.life/docs/infrastructure/camunda/ 
mgm-controller-panel
This is the controller panel for Smart Panels app
Attachments
Issue Links
- depends on
-
CAM-11290 CORS support
-
- Closed
-
-
-
- Closed
-
-
CAM-3510 CORS-enabled REST Api
-
- Closed
-
- is depended on by
-
-
- Closed
-
- is related to
-
-
- Closed
-