Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS documentation should use UrlBasedCorsConfigurationSource #15769

Closed
mgocd opened this issue Sep 9, 2024 · 3 comments
Closed

CORS documentation should use UrlBasedCorsConfigurationSource #15769

mgocd opened this issue Sep 9, 2024 · 3 comments
Assignees
@jzheaux
Labels
in: docs An issue in Documentation or samples type: task A general task
Milestone
6.2.7

Comments

@mgocd
Copy link

mgocd commented Sep 9, 2024

Describe the bug
Spring Security documentation: CORS provides an example on how to configure CORS using a @Bean of type CorsConfigurationSource.
Starting from Spring Security 6.2.6 / 6.3.3 it does not work because it requires a @Bean of type UrlBasedCorsConfigurationSource (because of the fix for #15378, line 135 in #3d4bcf1).

To Reproduce
Prepare a basic Spring Security app, provide the following bean:

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

and observe the CORS headers are not returned for an authorized GET with Origin: https://example.com.

Update the above example to return UrlBasedCorsConfigurationSource and observe the CORS headers are now properly returned.

Note: the example with CorsConfigurationSource also did not work in previous versions (pre-6.2.6 / 6.3.3) when Spring Web was used, because HttpSecurityConfiguration#applyCorsIfAvailable required exactly one bean of type CorsConfiguration, and there was already one registered by WebMvcConfigurationSupport#mvcHandlerMappingIntrospector.

Expected behavior
Update Spring Security documentation with UrlBasedCorsConfigurationSource:

Sample

A minimal reproducible example can be found here.
@mgocd mgocd added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Sep 9, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Sep 10, 2024

Thanks for the report, @mgocd. Are you able to contribute a PR to 6.2.x that updates the documentation?

@jzheaux jzheaux self-assigned this Sep 10, 2024
@jzheaux jzheaux added in: docs An issue in Documentation or samples and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 10, 2024
@jzheaux jzheaux added this to the 6.2.7 milestone Sep 10, 2024
@jzheaux jzheaux added the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Sep 17, 2024
@petrovskimario
Copy link
Contributor

petrovskimario commented Sep 19, 2024
edited
Loading

I can provide a PR if this is open, however on 6.2.x i cannot find this Bean, all of them are updated with UrlBasedCorsConfigurationSource.

In 6.1.x i see the mentioned Bean

@jzheaux
Copy link
Contributor

jzheaux commented Sep 24, 2024
edited
Loading

Apologies, @petrovskimario, the ticket is just out of date. This was addressed in b9f051d. Thanks for your willingness to help!

@jzheaux jzheaux closed this as completed Sep 24, 2024
@jzheaux jzheaux added type: task A general task and removed status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: bug A general bug labels Sep 24, 2024
@jzheaux jzheaux changed the title CORS example from the documentation does not work since Spring Security 6.2.6 / 6.3.3 CORS documentation should use UrlBasedCorsConfigurationSource Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: docs An issue in Documentation or samples type: task A general task
Projects
None yet
Milestone
6.2.7
Development

No branches or pull requests
3 participants
@jzheaux @petrovskimario @mgocd