Describe the bugSpring Security documentation: CORS provides an example on how to configure CORS using a @Bean of type CorsConfigurationSource.
Starting from Spring Security 6.2.6 / 6.3.3 it does not work because it requires a @Bean of type UrlBasedCorsConfigurationSource (because of the fix for #15378, line 135 in #3d4bcf1).
To Reproduce
Prepare a basic Spring Security app, provide the following bean:
and observe the CORS headers are not returned for an authorized GET with Origin: https://example.com.
Update the above example to return UrlBasedCorsConfigurationSource and observe the CORS headers are now properly returned.
Note: the example with CorsConfigurationSource also did not work in previous versions (pre-6.2.6 / 6.3.3) when Spring Web was used, because HttpSecurityConfiguration#applyCorsIfAvailable required exactly one bean of type CorsConfiguration, and there was already one registered by WebMvcConfigurationSupport#mvcHandlerMappingIntrospector.
Expected behavior
Update Spring Security documentation with UrlBasedCorsConfigurationSource:
Describe the bug Spring Security documentation: CORS provides an example on how to configure CORS using a
@Bean
of typeCorsConfigurationSource
. Starting from Spring Security 6.2.6 / 6.3.3 it does not work because it requires a@Bean
of typeUrlBasedCorsConfigurationSource
(because of the fix for #15378, line 135 in #3d4bcf1).To Reproduce Prepare a basic Spring Security app, provide the following bean:
and observe the CORS headers are not returned for an authorized GET with
Origin: https://example.com
.Update the above example to return
UrlBasedCorsConfigurationSource
and observe the CORS headers are now properly returned.Note: the example with
CorsConfigurationSource
also did not work in previous versions (pre-6.2.6 / 6.3.3) when Spring Web was used, becauseHttpSecurityConfiguration#applyCorsIfAvailable
required exactly one bean of typeCorsConfiguration
, and there was already one registered byWebMvcConfigurationSupport#mvcHandlerMappingIntrospector
.Expected behavior Update Spring Security documentation with
UrlBasedCorsConfigurationSource
:Sample
A minimal reproducible example can be found here.