I am trying to upgrade our instance of GeoServer from 2.24.2 to 2.26.1 and when testing our REST endpoints the preflight OPTIONS request is failing.
E.g.:
In browser it seems to be a CORS error but the Tomcat (9.0.97) web.xml already contains allowed methods:
<filter xmlns="">
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>
Content-Type,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Referer,
ticket,Cache-Control,Accept-Encoding,Accept-Language,Connection,Host,Pragma,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,User-Agent
</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
When testing in Postman I am getting this error:
<h1>HTTP Status 500 – Internal Server Error</h1>
<hr class="line" />
<p><b>Type</b> Exception Report</p>
<p><b>Message</b> Cannot invoke "java.util.Collection.iterator()" because "attributes" is null
</p>
<p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.
</p>
<p><b>Exception</b></p>
<pre>java.lang.NullPointerException: Cannot invoke "java.util.Collection.iterator()" because "attributes" is null
org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.vote(GeoServerSecurityInterceptorFilter.java:83)
org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:113)
org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:46)
org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:198)
org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:173)
org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:95)
Can anyone please advise what is needed to configure for the preflight OPTIONS requests to work again?