shiro-impl's WebContextSecurer currently performs two tasks: it adds the authentication layer, but it also adds CORS control headers, which defeat browsers' engine sensitivity.
The CORS policy needs to be separate from authentication and needs to be cross-cutting. Separate the CORS filter into its own component and integrate it via OSGi HTTP Whiteboard, so that it gets applied irrespective of WebContextSecurer invocation.
This component should be an experimental feature, which is not installed by default.
- is duplicated by
-
AAA-197 [CSRF] Attacker can insert or modify the entry of flow table
- Resolved