HTTP OPTIONS request fails after upgrade to 2.26.1

I am trying to upgrade our instance of GeoServer from 2.24.2 to 2.26.1 and when testing our REST endpoints the preflight OPTIONS request is failing.

E.g.:
image

In browser it seems to be a CORS error but the Tomcat (9.0.97) web.xml already contains allowed methods:

<filter xmlns="">
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,OPTIONS</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>
        Content-Type,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Referer,
        ticket,Cache-Control,Accept-Encoding,Accept-Language,Connection,Host,Pragma,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,User-Agent
      </param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin</param-value>
    </init-param>
    <init-param>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>10</param-value>
    </init-param>
  </filter>

When testing in Postman I am getting this error:

<h1>HTTP Status 500 – Internal Server Error</h1>
    <hr class="line" />
    <p><b>Type</b> Exception Report</p>
    <p><b>Message</b> Cannot invoke &quot;java.util.Collection.iterator()&quot; because &quot;attributes&quot; is null
    </p>
    <p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.
    </p>
    <p><b>Exception</b></p>
    <pre>java.lang.NullPointerException: Cannot invoke &quot;java.util.Collection.iterator()&quot; because &quot;attributes&quot; is null
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.vote(GeoServerSecurityInterceptorFilter.java:83)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:113)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:46)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:198)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:173)
	org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:95)

Can anyone please advise what is needed to configure for the preflight OPTIONS requests to work again?

Hi,
known issue, due to an upgrade of Spring Security.
A PR to fix it is being evaluated as I type this mail:
https://github.com/geoserver/geoserver/pull/8087

1 Like

Hi, so I tried to build the current 2.26.x branch, take the gs-main jar and replace the 2.26.1 gs-main, but now I am getting 401:

Regular GET requests with bearer token auth still work ok.

Am I still missing something?

Had a quick check with Joseph, indeed to avoid the 401 the OPTIONS method should be listed here:

Needs to be added to that list, and a test written, so that it cannot regress again.
Anyone here with time to do it and issue a PR?

Cheers
Andrea