HTTP OPTIONS request fails after upgrade to 2.26.1

macinos · December 6, 2024, 3:00pm

I am trying to upgrade our instance of GeoServer from 2.24.2 to 2.26.1 and when testing our REST endpoints the preflight OPTIONS request is failing.

E.g.:

In browser it seems to be a CORS error but the Tomcat (9.0.97) web.xml already contains allowed methods:

<filter xmlns="">
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,OPTIONS</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>
        Content-Type,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization,Referer,
        ticket,Cache-Control,Accept-Encoding,Accept-Language,Connection,Host,Pragma,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,User-Agent
      </param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin</param-value>
    </init-param>
    <init-param>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>10</param-value>
    </init-param>
  </filter>

When testing in Postman I am getting this error:

<h1>HTTP Status 500 – Internal Server Error</h1>
    <hr class="line" />
    <p><b>Type</b> Exception Report</p>
    <p><b>Message</b> Cannot invoke &quot;java.util.Collection.iterator()&quot; because &quot;attributes&quot; is null
    </p>
    <p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.
    </p>
    <p><b>Exception</b></p>
    <pre>java.lang.NullPointerException: Cannot invoke &quot;java.util.Collection.iterator()&quot; because &quot;attributes&quot; is null
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.vote(GeoServerSecurityInterceptorFilter.java:83)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:113)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AuthenticatedAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:46)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:198)
	org.geoserver.security.filter.GeoServerSecurityInterceptorFilter$AffirmativeAuthorizationManager.check(GeoServerSecurityInterceptorFilter.java:173)
	org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:95)

Can anyone please advise what is needed to configure for the preflight OPTIONS requests to work again?

aaime-geosolutions · December 6, 2024, 5:21pm

Hi,
known issue, due to an upgrade of Spring Security.
A PR to fix it is being evaluated as I type this mail:
https://github.com/geoserver/geoserver/pull/8087

macinos · December 16, 2024, 6:21pm

Hi, so I tried to build the current 2.26.x branch, take the gs-main jar and replace the 2.26.1 gs-main, but now I am getting 401:

Regular GET requests with bearer token auth still work ok.

Am I still missing something?

aaime-geosolutions · December 18, 2024, 2:52pm

Had a quick check with Joseph, indeed to avoid the 401 the OPTIONS method should be listed here:

github.com/geoserver/geoserver

[GEOS-11630] REST API throws HTTP 500 When Security Metadata Has Null Attributes

geoserver:main ← turingtestfail:GEOS-1630-REST-500-Security-Metadata

opened 07:08PM - 05 Dec 24 UTC

turingtestfail

+101 -13

[![GEOS-1630](https://badgen.net/badge/JIRA/GEOS-1630/0052CC)](https://osgeo-org….atlassian.net/browse/GEOS-1630) [<img width="16" alt="Powered by Pull Request Badge" src="https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=geoserver&utm_campaign=badge_info)  # Checklist - [x] I have read the [contribution guidelines](https://github.com/geoserver/geoserver/blob/main/CONTRIBUTING.md). - [ ] I have sent a [Contribution Licence Agreement](https://docs.geoserver.org/latest/en/developer/policies/committing.html) (not required for small changes, e.g., fixing typos in documentation). - [x] First PR targets the `main` branch (backports managed later; ignore for branch specific issues). - [ ] All the build checks are green ([see automated QA checks](https://docs.geoserver.org/latest/en/developer/qa-guide/index.html)). For core and extension modules: - [x] New unit tests have been added covering the changes. - [ ] [Documentation](https://github.com/geoserver/geoserver/tree/main/doc/en/user/source) has been updated (if change is visible to end users). - [ ] The [REST API docs](https://github.com/geoserver/geoserver/tree/main/doc/en/api/1.0.0) have been updated (when changing configuration objects or the REST controllers). - [x] There is an issue in the [GeoServer Jira](https://osgeo-org.atlassian.net/browse/GEOS/summary) (except for changes that do not affect administrators or end users in any way). - [x] Commit message(s) must be in the form ``[GEOS-XYZWV] Title of the Jira ticket``. - [x] Bug fixes and small new features are presented as a single commit. - [x] Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).

Needs to be added to that list, and a test written, so that it cannot regress again.
Anyone here with time to do it and issue a PR?

Cheers
Andrea

macinos · January 29, 2025, 9:13am

Hi, I just wanted to ask if any developer is going to add this fix with OPTIONS or if it´s better if we try to create the PR with this change.

aaime-geosolutions · January 30, 2025, 1:11pm

Always assume you’re better off submitting the change for yourself, it’s very unlikely that someone will take hours away from the weekend to solve an issue you have… if anything, they will touch something that bothered them, if they just don’t stay away from the computer at all, and be done with it.

[Backport 2.26.x] [GEOS-11703] HEAD and OPTIONS requests on the REST API return a 403

geoserver:2.26.x ← geoserver:backport-8257-to-2.26.x

opened 08:52AM - 05 Feb 25 UTC

geoserver-bot

+88 -10

[![GEOS-11703](https://badgen.net/badge/JIRA/GEOS-11703/0052CC)](https://osgeo-o…rg.atlassian.net/browse/GEOS-11703) [<img width="16" alt="Powered by Pull Request Badge" src="https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=geoserver&utm_campaign=badge_info) Backport #8257 **Authored by:** @aaime

(thanks to DLR for supporting the fix).

Cheers
Andrea

macinos · February 5, 2025, 9:20am

Ah you made the fix! Excellent, thank you