How to configure CORS in a Spring Boot + Spring Security application?

Spring Security can now leverage Spring MVC CORS support described in this blog post I wrote.

To make it work, you need to explicitly enable CORS support at Spring Security level as following, otherwise CORS enabled requests may be blocked by Spring Security before reaching Spring MVC.

If you are using controller level @CrossOrigin annotations, you just have to enable Spring Security CORS support and it will leverage Spring MVC configuration:

@EnableWebSecuritypublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {    @Override    protected void configure(HttpSecurity http) throws Exception {        http.cors().and()...    }}

If you prefer using CORS global configuration, you can declare a CorsConfigurationSource bean as following:

@EnableWebSecuritypublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {    @Override    protected void configure(HttpSecurity http) throws Exception {        http.cors().and()...    }    @Bean    CorsConfigurationSource corsConfigurationSource() {        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());        return source;    }}

This approach supersedes the filter-based approach previously recommended.

You can find more details in the dedicated CORS section of Spring Security documentation.

If you use JDK 8+, there is a one line lambda solution:

@EnableWebSecuritypublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {    http.cors().configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues());}

If you are using Spring Security, you can do the following to ensure that CORS requests are handled first:

@EnableWebSecuritypublic class WebSecurityConfig extends WebSecurityConfigurerAdapter {    @Override    protected void configure(HttpSecurity http) throws Exception {        http            // by default uses a Bean by the name of corsConfigurationSource            .cors().and()            ...    }    @Bean    CorsConfigurationSource corsConfigurationSource() {        CorsConfiguration configuration = new CorsConfiguration();        configuration.setAllowedOrigins(Arrays.asList("https://example.com"));        configuration.setAllowedMethods(Arrays.asList("GET","POST"));        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();        source.registerCorsConfiguration("/**", configuration);        return source;    }}

See Spring 4.2.x CORS for more information.

Without Spring Security this will work:

@Beanpublic WebMvcConfigurer corsConfigurer() {    return new WebMvcConfigurer() {        @Override        public void addCorsMappings(CorsRegistry registry) {            registry.addMapping("/**")                    .allowedOrigins("*")                    .allowedMethods("GET", "PUT", "POST", "PATCH", "DELETE", "OPTIONS");        }    };}