Description
Describe the bug
Spring Security documentation: CORS provides an example on how to configure CORS using a @Bean of type CorsConfigurationSource.
Starting from Spring Security 6.2.6 / 6.3.3 it does not work because it requires a @Bean of type UrlBasedCorsConfigurationSource (because of the fix for #15378, line 135 in #3d4bcf1).
To Reproduce
Prepare a basic Spring Security app, provide the following bean:
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
and observe the CORS headers are not returned for an authorized GET with Origin: https://example.com.
Update the above example to return UrlBasedCorsConfigurationSource and observe the CORS headers are now properly returned.
Note: the example with CorsConfigurationSource also did not work in previous versions (pre-6.2.6 / 6.3.3) when Spring Web was used, because HttpSecurityConfiguration#applyCorsIfAvailable required exactly one bean of type CorsConfiguration, and there was already one registered by WebMvcConfigurationSupport#mvcHandlerMappingIntrospector.
Expected behavior
Update Spring Security documentation with UrlBasedCorsConfigurationSource:
- https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html - the example and description below
- (possibly also) https://docs.spring.io/spring-security/reference/reactive/integrations/cors.html
Sample
A minimal reproducible example can be found here.