科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>Combine global Spring Security CORS configuration with @CrossOrigin - Stack Overflow

    Combine global Spring Security CORS configuration with @CrossOrigin - Stack Overflow

    programmeradmin1浏览0评论

    I am implementing CORS config for my application, where I use SpringSecurity for global configuration and also @CrossOrigin with stricter CORS rules than in my global configuration on a specific endpoint.

    My @CrossOrigin annotated endpoint rule is ignored, allowing any cross-origin request to pass. However, my understanding is that at first Spring Security's CorsFilter should allow request and later some HandlerInterceptor should find @CrossOrigin annotation and performs second CORS check too.

    Can those two CORS configuration be used together, or once I oped-in to Security CORS configuration I should setup everything there?

    .cors(withDefaults()) 

    @Bean
fun corsConfigurationSource(): CorsConfigurationSource {
    val source = UrlBasedCorsConfigurationSource()
 source.registerCorsConfiguration("/**", superPermissiveConfiguration())
    return source
}

@GetMapping("/set-csrf-cookie")
@ResponseStatus(HttpStatus.OK)
@CrossOrigin(origin = "https://<someURL>/") // UI application URL
fun setCsrfCookie(){}

    I expect @CrossOrigin annotated endpoint will be checked after CorsFilter and overwrite the global configuration.

    I am implementing CORS config for my application, where I use SpringSecurity for global configuration and also @CrossOrigin with stricter CORS rules than in my global configuration on a specific endpoint.

    My @CrossOrigin annotated endpoint rule is ignored, allowing any cross-origin request to pass. However, my understanding is that at first Spring Security's CorsFilter should allow request and later some HandlerInterceptor should find @CrossOrigin annotation and performs second CORS check too.

    Can those two CORS configuration be used together, or once I oped-in to Security CORS configuration I should setup everything there?

    .cors(withDefaults()) 

    @Bean
fun corsConfigurationSource(): CorsConfigurationSource {
    val source = UrlBasedCorsConfigurationSource()
 source.registerCorsConfiguration("/**", superPermissiveConfiguration())
    return source
}

@GetMapping("/set-csrf-cookie")
@ResponseStatus(HttpStatus.OK)
@CrossOrigin(origin = "https://<someURL>/") // UI application URL
fun setCsrfCookie(){}

    I expect @CrossOrigin annotated endpoint will be checked after CorsFilter and overwrite the global configuration.

    • spring
    • spring-mvc
    • spring-security
    Share Improve this question asked Mar 13 at 15:54 Kirill ShpakKirill Shpak 111 bronze badge 1
    • 1 the rules for how the annotation works with global configuration is stated in the docs docs.spring.io/spring-framework/docs/current/javadoc-api//… they are additive, meaning local configuration will add onto the global one. – Toerktumlare Commented Mar 14 at 23:11
    Add a comment  | 

    1 Answer 1

    Reset to default -2

    I see an issue because Spring Security takes full control of CORS once you enable http.cors(withDefaults()), which means @CrossOrigin on your controller gets ignored.

    Option 1: Remove the global CORS config from Spring Security.

    Option 2: Instead of using @CrossOrigin, configure CORS rules per endpoint.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论