javaspring-bootspring-securityspring-boot-3

CORS in Spring Security (Spring Boot 3)

I am currently struggling with Spring Security in my Spring Boot 3 applications. It was working in Spring Boot 2 but not since I tried to upgrade to version 3.

My authentication seems to work properly and the stuff that needs to be authenticated works. However when I do a preflight (OPTIONS) check it still returns me a 401 error.

My WebSecurityConfig:

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {

@Bean
    public SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .cors(Customizer.withDefaults())
                .csrf(c -> c.disable())
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers(
                            AntPathRequestMatcher.antMatcher("/comments/**"), 
                            AntPathRequestMatcher.antMatcher("/requests/admin/**")
                        ).authenticated()
                        .anyRequest().permitAll())
                .authenticationProvider(authenticationProvider())
                .exceptionHandling(r -> r.authenticationEntryPoint(jwtAuthenticationEntryPoint))
                .sessionManagement(r -> r.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                // Add a filter to validate the tokens with every request
                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
                ;
        return httpSecurity.build();
    }
}

I tried using a CorsConfigurationSource bean, but with no luck

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration corsConfig = new CorsConfiguration();
    corsConfig.applyPermitDefaultValues();
    corsConfig.setAllowCredentials(true);
    corsConfig.addAllowedMethod("GET");
    corsConfig.addAllowedMethod("PATCH");
    corsConfig.addAllowedMethod("POST");
    corsConfig.addAllowedMethod("OPTIONS");
    corsConfig.setAllowedOrigins(Arrays.asList("*"));
    corsConfig.setAllowedHeaders(Arrays.asList("*"));

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", corsConfig);
    return source;
}

And changed the .cors(Customizer.withDefaults()) to .cors(c -> c.configurationSource(corsConfigurationSource()))) in the SecutiryFilterChain.

A lot of links on the internet provide help on the issue but for SB2 instead of 3.

Solution

  • i tried configuring CORS the same way you did, using http.cors(Customizer.withDefaults()) and http.cors(c -> c.configurationSource(corsConfigurationSource()) but both did not work.

    however, this works for me

    http.cors(cors -> cors.configurationSource(request -> {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedHeaders(Arrays.asList("*"));
        return configuration;
    }));