CORS in Spring Security (Spring Boot 3)

Question

I am currently struggling with Spring Security in my Spring Boot 3 applications. It was working in Spring Boot 2 but not since I tried to upgrade to version 3.

My authentication seems to work properly and the stuff that needs to be authenticated works. However when I do a preflight (OPTIONS) check it still returns me a 401 error.

My WebSecurityConfig:

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {

@Bean
    public SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .cors(Customizer.withDefaults())
                .csrf(c -> c.disable())
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers(
                            AntPathRequestMatcher.antMatcher("/comments/**"), 
                            AntPathRequestMatcher.antMatcher("/requests/admin/**")
                        ).authenticated()
                        .anyRequest().permitAll())
                .authenticationProvider(authenticationProvider())
                .exceptionHandling(r -> r.authenticationEntryPoint(jwtAuthenticationEntryPoint))
                .sessionManagement(r -> r.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                // Add a filter to validate the tokens with every request
                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
                ;
        return httpSecurity.build();
    }
}

I tried using a CorsConfigurationSource bean, but with no luck

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration corsConfig = new CorsConfiguration();
    corsConfig.applyPermitDefaultValues();
    corsConfig.setAllowCredentials(true);
    corsConfig.addAllowedMethod("GET");
    corsConfig.addAllowedMethod("PATCH");
    corsConfig.addAllowedMethod("POST");
    corsConfig.addAllowedMethod("OPTIONS");
    corsConfig.setAllowedOrigins(Arrays.asList("*"));
    corsConfig.setAllowedHeaders(Arrays.asList("*"));

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", corsConfig);
    return source;
}

And changed the .cors(Customizer.withDefaults()) to .cors(c -> c.configurationSource(corsConfigurationSource()))) in the SecutiryFilterChain.

A lot of links on the internet provide help on the issue but for SB2 instead of 3.

please show us your error in the webbrowser console and a screenshot of your response with headers in the browser. — Toerktumlare, Aug 29 '23 at 11:23

GreyBeardedGeek · Answer 1 · 2023-08-28T02:43:19.403

-1

I had the same problem and was ultimately unable to solve it with httpSecurity.config

I wound up taking .cors() out entirely, and put a @CrossOrigin annotation on each controller class, e.g.

@CrossOrigin(origins = "http://myurl", allowCredentials = "true")

Note that I'm specifying an explicit URL here. I'm not sure whether or not wildcards will work.

edited Aug 28 '23 at 02:43

answered Aug 27 '23 at 13:25

GreyBeardedGeek

29,460
2
47
67

My application is open for everyone to use (it's an application for training purposes) so I do not know the origins of the user as they might use postman or other tools. Wildcards do not seem to work (When allowCredentials is true, allowedOrigins cannot contain the special value "*") – Jurn Aug 28 '23 at 11:14
I did try it though with defined origin, but to no luck :( – Jurn Aug 28 '23 at 11:31

CORS in Spring Security (Spring Boot 3)

1 Answers1