How to Configure CORS in Spring Security: Simple Guide
To configure
CORS in Spring Security, define a CorsConfigurationSource bean and enable CORS in your SecurityFilterChain by calling http.cors(). This setup allows you to specify allowed origins, methods, and headers securely within Spring Security.Syntax
Configure CORS in Spring Security by creating a CorsConfigurationSource bean that defines allowed origins, methods, and headers. Then enable CORS support in the SecurityFilterChain by calling http.cors(). This integrates CORS handling into Spring Security's filter chain.
java
import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.addAllowedOrigin("https://example.com"); configuration.addAllowedMethod("GET"); configuration.addAllowedMethod("POST"); configuration.addAllowedHeader("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.cors(); // Enable CORS support // other security config return http.build(); }
Example
This example shows a complete Spring Security configuration that enables CORS for requests from https://example.com allowing GET and POST methods with any headers. It integrates CORS handling into the security filter chain.
java
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.web.SecurityFilterChain; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; @Configuration public class SecurityConfig { @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.addAllowedOrigin("https://example.com"); configuration.addAllowedMethod("GET"); configuration.addAllowedMethod("POST"); configuration.addAllowedHeader("*"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.cors(); http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated()); http.httpBasic(); return http.build(); } }
Output
When running, Spring Security will allow cross-origin requests from https://example.com with GET and POST methods and any headers, enforcing authentication on all requests.
Common Pitfalls
- Not defining a
CorsConfigurationSourcebean causeshttp.cors()to have no effect. - Using
addAllowedOrigin("*")with credentials enabled will fail; specify exact origins instead. - Forgetting to call
http.cors()in the security config disables CORS support. - Configuring CORS only in
WebMvcConfigurerbut not in Spring Security leads to blocked requests.
java
/* Wrong: No CorsConfigurationSource bean */ @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.cors(); // No source defined, no CORS allowed return http.build(); } /* Right: Define CorsConfigurationSource bean and enable cors() */ @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.addAllowedOrigin("https://example.com"); configuration.addAllowedMethod("GET"); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", configuration); return source; } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.cors(); return http.build(); }
Quick Reference
Tips for configuring CORS in Spring Security:
- Always define a
CorsConfigurationSourcebean to specify allowed origins, methods, and headers. - Call
http.cors()in yourSecurityFilterChainto enable CORS support. - Do not use wildcard
*for origins if credentials are required; specify exact origins. - Configure CORS in Spring Security, not just in MVC, to avoid blocked requests.
Key Takeaways
Define a CorsConfigurationSource bean to specify CORS rules in Spring Security.
Enable CORS by calling http.cors() in your SecurityFilterChain configuration.
Avoid using wildcard origins with credentials; specify exact allowed origins.
Configure CORS within Spring Security to ensure cross-origin requests are handled properly.
Common mistakes include missing CorsConfigurationSource or forgetting to enable cors() in security.