Bird
Raised Fist0
Spring Bootframework~20 mins

CORS configuration in Security in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
CORS Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
1:30remaining
What is the effect of this Spring Security CORS configuration?
Consider this Spring Security configuration snippet for CORS:
http.cors().and().csrf().disable();

What does this configuration do regarding CORS requests?
Spring Boot
http.cors().and().csrf().disable();
AEnables CORS with custom settings but keeps CSRF enabled.
BDisables CORS support and enables CSRF protection.
CDisables both CORS and CSRF protections.
DEnables CORS support using default settings and disables CSRF protection.
Attempts:
2 left
💡 Hint
Think about what calling cors() and csrf().disable() does in Spring Security.
📝 Syntax
intermediate
2:00remaining
Which option correctly defines a CORS configuration source bean in Spring Boot?
You want to define a bean that customizes CORS mappings in Spring Boot Security. Which code snippet is syntactically correct?
Apublic CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", config); return source; }
B@Bean public void corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", config); }
C@Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", config); return source; }
D@Bean CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", config); return source; }
Attempts:
2 left
💡 Hint
Remember the @Bean annotation and method return type are required for Spring to recognize the bean.
🔧 Debug
advanced
2:30remaining
Why does this CORS configuration not allow requests from 'http://example.com'?
Given this CORS configuration bean:
@Bean
public CorsConfigurationSource corsConfigurationSource() {
  CorsConfiguration config = new CorsConfiguration();
  config.addAllowedOrigin("http://example.com");
  config.addAllowedMethod("GET");
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", config);
  return source;
}

And the security config:
http.cors().and().csrf().disable();

Why might requests from 'http://example.com' still be blocked by the browser?
AThe allowed origin must be set with a trailing slash like 'http://example.com/'.
BThe allowed origin must be set using 'setAllowedOriginPatterns' instead of 'addAllowedOrigin' to support subdomains or patterns.
CThe CORS configuration bean is not registered because the method lacks the @Configuration annotation.
DCSRF is disabled, so CORS requests are blocked by default.
Attempts:
2 left
💡 Hint
Think about how Spring Security matches origins with patterns.
state_output
advanced
1:30remaining
What is the value of 'allowedMethods' after this CORS config code runs?
Given this code snippet:
CorsConfiguration config = new CorsConfiguration();
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.setAllowedMethods(List.of("PUT", "DELETE"));
List allowedMethods = config.getAllowedMethods();

What is the content of 'allowedMethods'?
A["PUT", "DELETE"]
B["GET", "POST", "PUT", "DELETE"]
C["GET", "POST"]
Dnull
Attempts:
2 left
💡 Hint
Consider what setAllowedMethods does compared to addAllowedMethod.
🧠 Conceptual
expert
2:00remaining
Which statement best describes the role of CORS configuration in Spring Security?
Select the most accurate description of how CORS configuration interacts with Spring Security and browser behavior.
ACORS configuration in Spring Security controls which cross-origin requests the server accepts, but browsers enforce CORS policies based on server response headers.
BCORS configuration in Spring Security automatically adds Access-Control-Allow-Origin: * header to all responses.
CCORS configuration in Spring Security only affects CSRF tokens and does not influence cross-origin requests.
DCORS configuration in Spring Security disables browser CORS checks entirely, allowing all cross-origin requests.
Attempts:
2 left
💡 Hint
Think about the difference between server-side configuration and browser enforcement.

Practice

(1/5)
1. What is the main purpose of configuring CORS in a Spring Boot security setup?
easy
A. To control which external websites can access your backend resources
B. To improve database query performance
C. To manage user authentication tokens
D. To style the frontend user interface

Solution

  1. Step 1: Understand CORS role in web security

    CORS (Cross-Origin Resource Sharing) controls which external domains can call your backend APIs.

  2. Step 2: Identify the purpose in Spring Boot security

    Configuring CORS in Spring Security allows safe cross-site requests by specifying allowed origins and methods.

  3. Final Answer:

    To control which external websites can access your backend resources -> Option A

  4. Quick Check:

    CORS controls access origins = A [OK]
Hint: CORS = Cross-Origin access control [OK]
Common Mistakes:
  • Confusing CORS with authentication
  • Thinking CORS improves database speed
  • Assuming CORS styles frontend
2. Which of the following is the correct way to enable CORS in a Spring Security configuration class?
easy
A. http.corsEnabled(true);
B. http.enableCors();
C. http.allowCors(true);
D. http.cors().and().csrf().disable();

Solution

  1. Step 1: Recall Spring Security CORS enabling syntax

    Spring Security uses the method http.cors() to enable CORS support.

  2. Step 2: Identify the correct chaining method

    The correct chaining to disable CSRF and enable CORS is http.cors().and().csrf().disable();

  3. Final Answer:

    http.cors().and().csrf().disable(); -> Option D

  4. Quick Check:

    Enable CORS with http.cors() = C [OK]
Hint: Use http.cors() to enable CORS in Spring Security [OK]
Common Mistakes:
  • Using non-existent methods like enableCors()
  • Forgetting to chain with .and()
  • Confusing CORS enabling with CSRF
3. Given this Spring Security CORS configuration snippet, what origins are allowed? 
@Bean
public CorsConfigurationSource corsConfigurationSource() {
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins(List.of("https://example.com", "https://app.example.com"));
  configuration.setAllowedMethods(List.of("GET", "POST"));
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);
  return source;
}
medium
A. No origins are allowed because configuration is incomplete
B. Requests from any origin are allowed
C. Only requests from https://example.com and https://app.example.com are allowed
D. Only GET requests from any origin are allowed

Solution

  1. Step 1: Analyze allowed origins list

    The code sets allowed origins explicitly to "https://example.com" and "https://app.example.com".

  2. Step 2: Understand effect on requests

    Only requests coming from these two origins will be accepted; others will be blocked by CORS policy.

  3. Final Answer:

    Only requests from https://example.com and https://app.example.com are allowed -> Option C

  4. Quick Check:

    Allowed origins = example.com and app.example.com = D [OK]
Hint: Allowed origins list controls which sites can call backend [OK]
Common Mistakes:
  • Assuming all origins allowed by default
  • Confusing allowed methods with allowed origins
  • Thinking configuration is incomplete without headers
4. Identify the error in this Spring Security CORS configuration code: 
@Bean
public CorsConfigurationSource corsConfigurationSource() {
  CorsConfiguration configuration = new CorsConfiguration();
  configuration.setAllowedOrigins("*");
  configuration.setAllowedMethods(List.of("GET", "POST"));
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", configuration);
  return source;
}
medium
A. Allowed methods list is missing PUT and DELETE
B. setAllowedOrigins expects a list, not a single string
C. UrlBasedCorsConfigurationSource cannot be used here
D. The method should return void, not CorsConfigurationSource

Solution

  1. Step 1: Check setAllowedOrigins parameter type

    The method setAllowedOrigins requires a List<String>, but the code passes a single String "*".

  2. Step 2: Understand correct usage for wildcard

    To allow all origins, use List.of("*") instead of a plain string.

  3. Final Answer:

    setAllowedOrigins expects a list, not a single string -> Option B

  4. Quick Check:

    Allowed origins must be List<String> = B [OK]
Hint: setAllowedOrigins needs a list, not a string [OK]
Common Mistakes:
  • Passing a string instead of a list to setAllowedOrigins
  • Ignoring method parameter types
  • Assuming missing HTTP methods cause errors here
5. You want to allow all origins but only GET and POST methods in your Spring Security CORS config. Which code snippet correctly achieves this while following best practices?
hard
A. configuration.setAllowedOriginPatterns(List.of("*")); configuration.setAllowedMethods(List.of("GET", "POST"));
B. configuration.setAllowedOrigins(List.of("*")); configuration.setAllowedMethods(List.of("GET", "POST"));
C. configuration.setAllowedOrigins("*"); configuration.setAllowedMethods(List.of("GET", "POST"));
D. configuration.setAllowedOrigins(List.of("*")); configuration.setAllowedMethods(List.of("GET", "POST", "PUT"));

Solution

  1. Step 1: Understand wildcard origin allowance

    Using setAllowedOrigins(List.of("*")) is deprecated and may cause issues; instead, setAllowedOriginPatterns supports wildcards properly.

  2. Step 2: Check allowed methods correctness

    Only GET and POST methods are allowed as required.

  3. Final Answer:

    configuration.setAllowedOriginPatterns(List.of("*")); configuration.setAllowedMethods(List.of("GET", "POST")); -> Option A

  4. Quick Check:

    Use allowedOriginPatterns for wildcard origins = A [OK]
Hint: Use setAllowedOriginPatterns for wildcard origins [OK]
Common Mistakes:
  • Using setAllowedOrigins with "*" string
  • Allowing extra HTTP methods by mistake
  • Passing string instead of list to allowed origins