Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Not possible to use allowedOrigins "*" in StompEndpointRegistry after upgrade to Spring Boot 2.4.0
See original GitHub issueNot sure if this should be filed under Spring Boot or Spring framework, but I put it here since Spring Boot Starter is in use.
After upgrading to use Spring Boot 2.4.0 from 2.3.x, it does not seem to be possible to use allowedOrigins = “*” in the StompEndpointRegistry. When connecting it results in the following Error:
java.lang.IllegalArgumentException: When allowCredentials is true, allowedOrigins cannot contain the special value "*"since that cannot be set on the "Access-Control-Allow-Origin" response header. To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.
However, allowedOriginPatterns i not something that is available on the StompEndpointRegistry, only allowedOrigins is available.
Code to reproduce
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
import org.springframework.web.socket.config.annotation.StompWebSocketEndpointRegistration;
import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;
@SpringBootApplication
@EnableWebSocketMessageBroker
public class DemoApplication implements WebSocketMessageBrokerConfigurer {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
StompWebSocketEndpointRegistration registration = registry.addEndpoint("/endpoint");
registration.setAllowedOrigins("*");
registration.withSockJS();
}
}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
<script>
fetch("http://localhost:8080/endpoint")
.then(response => console.log(response));
</script>
</head>
<body>
</body>
</html>
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-websocket</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
Start the server on port 8080 and host the host the html file on another port and open it in a browser.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:21
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Change of CORS policy in spring boot version 2.4.0
This configuration worked fine and all the cross-platform requests I needed were authorized. But after migrating to spring-boot 2.4.0 after the ...
Read more >25. WebSocket Support - Spring
This part of the reference documentation covers Spring Framework's support for WebSocket-style messaging in web applications including use of STOMP as an ...
Read more >ry on Twitter: "Spring Boot 2.4にCORSの変更あって危うく ...
Not possible to use allowedOrigins "*" in StompEndpointRegistry ... After upgrading to use Spring Boot 2.4.0 from 2.3.x, it does not seem ....
Read more >Spring Boot 版本升级: 从2.2.6.RELEASE 升级到2.5.1 问题解决 ...
Not possible to use allowedOrigins "*" in StompEndpointRegistry after upgrade to Spring Boot 2.4.0 #26111.
Read more >Using Spring Boot for WebSocket Implementation with STOMP
The server-side will be coded purely in Java. But, in the case of the client, I will show snippets written both in Java...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
#25016 introduced the ability to configure allowedOriginPatterns in addition to just
allowedOrigins. It lets you define more flexible patterns while the latter is literally the value to return in theAccess-Control-Allow-Originheader and for that"*"is not allowed in combination withallowCredentials=true. The change introduced equivalentallowedOriginPatternsmethods in the WebMvc and the WebFlux config, but not in the SockJS config and theAbstractSocketJsService.I’ll add those for 5.3.2. You’ll then need to switch to
allowedOriginPatternsinstead ofallowedOriginsbut that gives you an option to define more precisely the allowed domain patterns. In the mean time, you might be able to work around by listing specific domains if that’s feasible.This massively burned us during upgrade, why was this breaking change not mentioned in the release notes?