celikfatih opened a new pull request, #2372: URL: https://github.com/apache/shiro/pull/2372
This PR implements the enhancement proposed in [SHIRO-953](https://github.com/apache/shiro/issues/953), allowing CORS preflight (OPTIONS) requests to bypass authentication across supported authentication filters. Browsers perform CORS preflight requests before sending actual cross-origin requests, and these preflight requests must not be forced through authentication in order for the CORS handshake to complete successfully. This change updates the access-control logic to detect preflight requests via `CorsUtils.isPreFlightRequest(...)` and immediately allow them when `allowPreflightRequests` is enabled. This behavior applies generically and is not limited to Basic authentication. Key Changes Added a preflight request check in `isAccessAllowed(...)` within the relevant filter. Ensured that OPTIONS requests with valid CORS headers bypass authentication. Updated Javadoc explaining the new behavior. Added unit tests for `CorsUtils.isPreFlightRequest(...)`. Issue Ref: [SHIRO-953](https://github.com/apache/shiro/issues/953) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
