Not possible to use allowedOrigins "*" in StompEndpointRegistry after upgrade to Spring Boot 2.4.0

[opersson]

Not sure if this should be filed under Spring Boot or Spring framework, but I put it here since Spring Boot Starter is in use.

After upgrading to use Spring Boot 2.4.0 from 2.3.x, it does not seem to be possible to use allowedOrigins = "*" in the StompEndpointRegistry. When connecting it results in the following Error:

java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value "*"since that cannot be set on the "Access-Control-Allow-Origin" response header. To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.

However, allowedOriginPatterns i not something that is available on the StompEndpointRegistry, only allowedOrigins is available.

Code to reproduce

package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
import org.springframework.web.socket.config.annotation.StompWebSocketEndpointRegistration;
import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;

@SpringBootApplication
@EnableWebSocketMessageBroker
public class DemoApplication implements WebSocketMessageBrokerConfigurer {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

	@Override
	public void registerStompEndpoints(StompEndpointRegistry registry) {
		StompWebSocketEndpointRegistration registration = registry.addEndpoint("/endpoint");
		registration.setAllowedOrigins("*");
		registration.withSockJS();
	}
}

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
    <script>
        fetch("http://localhost:8080/endpoint")
            .then(response => console.log(response));
    </script>
</head>
<body>
</body>
</html>

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<parent>
		<groupId>org.springframework.boot</groupId>
		<artifactId>spring-boot-starter-parent</artifactId>
		<version>2.4.0</version>
		<relativePath/> <!-- lookup parent from repository -->
	</parent>
	<groupId>com.example</groupId>
	<artifactId>demo</artifactId>
	<version>0.0.1-SNAPSHOT</version>
	<name>demo</name>
	<description>Demo project for Spring Boot</description>

	<properties>
		<java.version>11</java.version>
	</properties>

	<dependencies>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-websocket</artifactId>
		</dependency>
	</dependencies>

	<build>
		<plugins>
			<plugin>
				<groupId>org.springframework.boot</groupId>
				<artifactId>spring-boot-maven-plugin</artifactId>
			</plugin>
		</plugins>
	</build>

</project>

Start the server on port 8080 and host the host the html file on another port and open it in a browser.

[wilkinsona]

Thanks for the report. The behaviour that you're seeing is due to these changes in Spring Framework. We'll transfer this issue to the Framework team so that they can take a look.

[rstoyanchev]

#25016 introduced the ability to configure allowedOriginPatterns in addition to just allowedOrigins. It lets you define more flexible patterns while the latter is literally the value to return in the Access-Control-Allow-Origin header and for that "*" is not allowed in combination with allowCredentials=true. The change introduced equivalent allowedOriginPatterns methods in the WebMvc and the WebFlux config, but not in the SockJS config and the AbstractSocketJsService.

I'll add those for 5.3.2. You'll then need to switch to allowedOriginPatterns instead of allowedOrigins but that gives you an option to define more precisely the allowed domain patterns. In the mean time, you might be able to work around by listing specific domains if that's feasible.

[rstoyanchev]

This is now superseded by #26108.

[JeromeRider]

When I implement WebSocketMessageBrokerConfigurer, I'm not asked to override registerStompEndpoints() method. Am I supposed to use Java 11 ? I'm on Java 8 - Maven 2.4.2

[rstoyanchev]

@JeromeRider, all are default methods and so none are required. Imagine that there are several of these in one application. They are all applied, and one might register endpoints while others might not.

[richvim]

This massively burned us during upgrade, why was this breaking change not mentioned in the release notes?

[rstoyanchev]

@richvim I'm sorry to hear that. It is mentioned here although I can see how we should probably more explicitly mention STOMP web messaging as part of that.

[alrawasabed]

The interface WebSocketHandlerRegistration is still missing setAllowedOriginPatterns in spring-websocket-5.3.3
I use it when I override registerWebSockerHandlers(WebSocketHandlerRegistry registry) when implementing WebSocketConfigurer

It's supposed to be there right?

[rstoyanchev]

@alrawasabed yes it should be there. I've created #26593.