No option to disable automatic addition of CORS header by Spring SockJS module [SPR-12283]

[spring-projects-issues]

Chandan opened SPR-12283 and commented

Spring sockjs library adds CORS header based on "origin" in the incoming request -unless it detects the header pre-added by Servlet filter or by any other mechanism.
We have a use case where CORS IP white listing is taken care by external system (Say some interceptor). If some how it is bypassed, sockjs will allow connection from any origin (because, incoming "origin" value will be mirrored in header) -opening a security loophole.
If there is an option to disable automatic addition of header, then even if some one hacks into sockjs url directly, browser will throw a CORS error.

---

Affects: 4.0 GA

Reference URL: http://stackoverflow.com/questions/26037250/how-to-disable-automatic-addition-of-cors-header-in-spring-sockjs-module-of-spri/26104535?noredirect=1#comment40967360_26104535

This issue is a sub-task of #16921

Referenced from: commits 58f4014

[spring-projects-issues]

Sébastien Deleuze commented

Implementation available in my #16888 branch. I will merge it in master when the pull request #670 will be integrated.

[spring-projects-issues]

Sébastien Deleuze commented

The automatic addition of CORS headers can now be disabled thanks to the suppressCors property available in Spring's SockJsService, JavaConfig and XML namespace.

[spring-projects-issues]

Chandan commented

Hello I updated my Spring to 41.2, but it's throwing error about missing method setRemoveOnCancelPolicy in ThreadPoolTaskSchedulerfailing.
I am using IBM provided Java (version java_1.7_64). and my container is Web Sphere. Asked here as well http://stackoverflow.com/questions/27107825/spring-build-4-1-2-is-throwing-error-about-missing-method-setremoveoncancelpolic. Following is the stack trace

org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler org.springframework.web.socket.config.annotation.WebSocketConfigurationSupport.defaultSockJsTaskScheduler()] threw exception; nested exception is java.lang.NoSuchMethodError: org/springframework/scheduling/concurrent/ThreadPoolTaskScheduler.setRemoveOnCancelPolicy(Z)V
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1025)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:921)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.jav