0
0
Spring Bootframework~10 mins

CORS configuration in Security in Spring Boot - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - CORS configuration in Security
Client sends HTTP request
Server receives request
Spring Security intercepts request
Check CORS configuration
Process request
Send response back to client
This flow shows how a client request is checked against CORS rules in Spring Security before processing or rejecting it.
Execution Sample
Spring Boot
http.cors().and().authorizeRequests()
  .anyRequest().authenticated();

@Bean
CorsConfigurationSource corsConfigurationSource() {
  CorsConfiguration config = new CorsConfiguration();
  config.setAllowedOrigins(List.of("http://example.com"));
  config.setAllowedMethods(List.of("GET", "POST"));
  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
  source.registerCorsConfiguration("/**", config);
  return source;
}
This code configures Spring Security to allow CORS requests only from http://example.com with GET and POST methods.
Execution Table
StepRequest OriginRequest MethodCORS Allowed?ActionResponse
1http://example.comGETYesProcess request200 OK with data
2http://example.comPOSTYesProcess request200 OK with data
3http://malicious.comGETNoReject request403 CORS error
4http://example.comDELETENoReject request403 CORS error
5http://example.comOPTIONSYesProcess preflight200 OK preflight
6http://unknown.comPOSTNoReject request403 CORS error
7----Stop: No more requests
💡 Requests stop being processed when origin or method is not allowed by CORS config.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
allowedOrigins[][http://example.com][http://example.com][http://example.com][http://example.com][http://example.com]
allowedMethods[][GET, POST][GET, POST][GET, POST][GET, POST][GET, POST]
requestOrigin-http://example.comhttp://example.comhttp://malicious.comhttp://example.com-
requestMethod-GETPOSTGETDELETE-
corsAllowed-truetruefalsefalse-
Key Moments - 3 Insights
Why does a request from http://malicious.com get rejected even if the method is GET?
Because the origin http://malicious.com is not in the allowedOrigins list as shown in execution_table row 3, so CORS blocks it.
Why is the OPTIONS method allowed even though it is not explicitly listed in allowedMethods?
OPTIONS is used for CORS preflight requests and is automatically handled by Spring Security when CORS is enabled, as seen in execution_table row 5.
What happens if the request method is DELETE which is not allowed?
The request is rejected with a CORS error because DELETE is not in allowedMethods, shown in execution_table row 4.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the response when the request origin is http://example.com and method is GET?
A404 Not Found
B403 CORS error
C200 OK with data
D500 Server Error
💡 Hint
Check execution_table row 1 under Response column.
At which step does the CORS check fail due to an unallowed origin?
AStep 2
BStep 3
CStep 5
DStep 1
💡 Hint
Look at execution_table row 3 where requestOrigin is http://malicious.com and CORS Allowed? is No.
If we add "DELETE" to allowedMethods, which step's action would change from reject to process?
AStep 4
BStep 6
CStep 3
DStep 5
💡 Hint
Check execution_table row 4 where method is DELETE and action is reject.
Concept Snapshot
CORS configuration in Spring Security:
- Enable with http.cors() in SecurityFilterChain
- Define allowed origins and methods in CorsConfigurationSource bean
- Spring Security checks origin and method on each request
- Allowed requests proceed, others get CORS error
- OPTIONS requests for preflight handled automatically
Full Transcript
When a client sends a request, Spring Security intercepts it and checks the CORS configuration. It compares the request's origin and method with the allowed origins and methods defined in the CorsConfigurationSource bean. If both match, the request is processed normally and a successful response is sent. If either the origin or method is not allowed, Spring Security rejects the request with a CORS error, preventing unauthorized cross-origin access. OPTIONS requests are treated as preflight checks and allowed automatically if CORS is enabled. This ensures only trusted origins and methods can access the server resources.