How to enable CORS at Spring Security level in Spring boot

java spring spring-boot spring-security cors

16,467

Solution 1

this is a way to make Spring Security 4.1 support CROS with Spring BOOT 1.5

  @Configuration
public class WebConfig extends WebMvcConfigurerAdapter {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
           .allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
    }
}

with

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
//        http.csrf().disable();
        http.cors();
    }
    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("*"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
        configuration.setAllowCredentials(true);
        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

Solution 2

CORS with Spring Security:

To enable CORS support through Spring security, configure CorsConfigurationSource bean and use HttpSecurity.cors() configuration.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and()
            //other config
    }
 
    @Bean
    CorsConfigurationSource corsConfigurationSource() 
    {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

Reference, https://howtodoinjava.com/spring-boot2/spring-cors-configuration/

16,467

Lahiru Gamage

I am a former software engineer of MAS Holdings and contribute java, .net and SAP projects

Updated on September 15, 2022

Comments

Lahiru Gamage over 1 year

I am working with a spring boot application which uses Spring Security. I have tried @CrossOrigin to enable cors but it didn't work.

If you want to find my error refer this

Spring Blogs says that when we are working with spring security, we must enable cors at spring security level.

And my project is below.

Can anyone explain where should I put those configuration and how to find the spring security level.
g00glen00b about 6 years

@LahiruGamage it doesn't matter, it's a Spring bean like any others, so as long as it's within a (sub)package relative to the main class, it will work.
Lahiru Gamage about 6 years

what is ImmutableList here?
Lahiru Gamage about 6 years

I have found the solution for this and inserted it in my previous post. I'm not allowed to answer to this question. thank you both @henchiri and Sibin cms because it is combined of your answers. +1 for both
Lahiru Gamage about 6 years

I have found the solution for this and inserted it in my previous post. I'm not allowed to answer to this question. thank you both henchiri and @Sibin because it is combined of your answers. +1 for both
Albert Hendriks over 3 years

What to put at the dots in http.cors().and()...?