Response header ``Vary`` since Spring Security 6.2.0

[renetrefft]

After upgrading from Spring Boot 3.1.* to Spring Boot 3.2.0 which includes Spring Security 6.2.0, responses of REST services provided by @Controller classes have Vary headers if org.springframework.boot:spring-boot-starter-security is in classpath.

Is this intended? We immediately noticed this change since our CDN Akamai does not cache responses with this header.

[malaquf]

Hi @renetrefft , we also noticed this issue and I believe this is the commit that introduces it. Now CorsFilter is configured by default if CorsConfigurationSource is present.

[malaquf]

I believe this side effect is not intended, as HandlerMappingIntrospector implements CorsConfigurationSource and is instantiated by default by WebMvcConfigurationSupport in spring boot auto configure.

[jzheaux]

I agree that this is likely not the intent. It may be best for Spring Security to be more conservative for the time being and pick up only UrlBasedCorsConfigurationSource instances.

[baezzys]

Hi @jzheaux I'd like to contribute to this issue. Can I work on it?

[marcusdacoregio]

Closed via 3d4bcf1

[piotrooo]

I think this change should be interpreted as a breaking change since, after the update from 3.3.2 to 3.3.3, it is no longer working.

FYI @marcusdacoregio, @baezzys and @jzheaux

@Configuration
public class CorsWebConfiguration implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/web/**")
                .allowedOriginPatterns("https://*.example.com")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD");
    }
}