CORS example from the documentation does not work since Spring Security 6.2.6 / 6.3.3

[mgocd]

Describe the bug Spring Security documentation: CORS provides an example on how to configure CORS using a @Bean of type CorsConfigurationSource. Starting from Spring Security 6.2.6 / 6.3.3 it does not work because it requires a @Bean of type UrlBasedCorsConfigurationSource (because of the fix for #15378, line 135 in #3d4bcf1).

To Reproduce Prepare a basic Spring Security app, provide the following bean:

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

and observe the CORS headers are not returned for an authorized GET with Origin: https://example.com.

Update the above example to return UrlBasedCorsConfigurationSource and observe the CORS headers are now properly returned.

Note: the example with CorsConfigurationSource also did not work in previous versions (pre-6.2.6 / 6.3.3) when Spring Web was used, because HttpSecurityConfiguration#applyCorsIfAvailable required exactly one bean of type CorsConfiguration, and there was already one registered by WebMvcConfigurationSupport#mvcHandlerMappingIntrospector.

Expected behavior Update Spring Security documentation with UrlBasedCorsConfigurationSource:

• https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html - the example and description below
• (possibly also) https://docs.spring.io/spring-security/reference/reactive/integrations/cors.html

Sample

A minimal reproducible example can be found here.

[jzheaux]

Thanks for the report, @mgocd. Are you able to contribute a PR to 6.2.x that updates the documentation?

[petrovskimario]

I can provide a PR if this is open