0

I have created a Sing Data Repository and made it accessible through Spring Data REST (Spring Boot 2.7.2). I would expect it to reject any CORS, but it does not happen. I double-checked: I have neither calls to addCorsMappings, nor @CrossOrigin annotation on the repositories.

On the other side, when I make a call from a different origin it passes, for example:

GET http://localhost:8080/api/accounts/1
Origin: http://localhost:3030

response:

HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
ETag: "25"
Content-Type: application/hal+json
Transfer-Encoding: chunked
Date: Wed, 01 Mar 2023 17:03:52 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{
  "id": 1,
  "dateCreated": "2022-12-16T00:38:09.089+00:00",
  "lastUpdate": "2023-02-26T23:21:38.184+00:00",
  ....

To further verify, I coded an endpoint programmatically under /api2, and here CORS is enforced, and the request denied (405):

GET http://localhost:8080/api2/accounts/1

HTTP/1.1 405 
Allow: PUT, DELETE
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 01 Mar 2023 17:07:33 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{
  "timestamp": "2023-03-01T17:07:33.266+00:00",
  "status": 405,
  "error": "Method Not Allowed",
  "trace": "org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported\n\tat org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.handleNoMatch(RequestMappingInfoHandlerMapping.java:253)\n\tat org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.lookupHandlerMethod(AbstractHandlerMethodMapping.java:442)\n\tat org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.getHandlerInternal(AbstractHandlerMethodMapping.java:383)\n\tat org.springInternal(AbstractHandlerMethodMapping.java:383)\n\tat org.sprinframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.getHandlerInternal(RequestMappingInfoHandlerMapping.java:125)\n\tat org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.getHandlerInternal(RequestMappingInfoHandlerMapping.java:67
...

Is this normal behavior? If so, how can I reject CORS requests on Spring Data Rest?

Franco G
  • 375
  • 3
  • 12
  • If i understand well, you would like to disable CORS ? – Quentin Genet Mar 01 '23 at 17:20
  • No, I would like it ENABLED, it seems disabled, but I did not disable it. Thus the application is exposed to risks unless I wrap all the Data-REST API with my code. In this case, Spring acts correctly, and calls from different ports (like 3030 above) are blocked. The point is: if I have to rewrite all API calls, I do not need Spring DATA-REST. – Franco G Mar 01 '23 at 21:51

1 Answers1

0

CORS is not enabled by default. According to https://docs.spring.io/spring-data/rest/docs/current/reference/html/#customizing-sdr.configuring-cors.config

You can either add @CrossOrigin on the Repository interface

@CrossOrigin(origins = "http://domain2.example",
  methods = { RequestMethod.GET, RequestMethod.POST, RequestMethod.DELETE },
  maxAge = 3600)
interface PersonRepository extends CrudRepository<Person, Long> {}

or configure it globally.

@Component
public class SpringDataRestCustomization implements RepositoryRestConfigurer {

  @Override
  public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config, CorsRegistry cors) {

    cors.addMapping("/person/**")
      .allowedOrigins("http://domain2.example")
      .allowedMethods("PUT", "DELETE")
      .allowedHeaders("header1", "header2", "header3")
      .exposedHeaders("header1", "header2")
      .allowCredentials(false).maxAge(3600);
  }
}
yejianfengblue
  • 2,089
  • 1
  • 14
  • 18