1. Overview
In this quick article, we’ll learn how to configure CORS in Spring Security 6. In short, we’ll update the SecurityFilterChain to provide a solution so that our application remains secure and functional. Understanding how to do so will help us move away from the deprecated cors() method in the previous versions of Spring Security Framework.
Let’s start.
2. Understanding CORS in Spring Security
Before jumping right into the configuration, let’s first understand what CORS is and how it’s managed in Spring Security.
Cross-Origin Resource Sharing (CORS) is a security feature implemented in browsers to prevent malicious scripts from accessing resources from different domains. Therefore, we need to configure CORS correctly in our Spring applications and restrict resource sharing across different origins. Failing to do so can lead to unauthorized access to server resources by web pages from different domains.
Starting with Spring Security 6, the cors() method was deprecated and marked for removal in future releases. Therefore, when working with legacy applications, we must adapt our security configurations to manage CORS effectively.
Let’s see various options in which we can handle the CORS configuration to keep our application functional.
3. Disabling CORS in SecurityFilterChain
The simplest way to handle CORS is to disable it altogether. We can do that in the SecurityFilterChain configuration bean:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.cors(AbstractHttpConfigurer::disable)
// MORE CODE
.build();
}
Disabling a security feature like CORS can expose our application to vulnerabilities. Therefore, it’s essential to understand the implications of disabling CORS and ensure that our application remains secure.
3. Configuring CORS in SecurityFilterChain
If we want to secure our application with CORS enabled, we must configure it in the SecurityFilterChain bean. There are two steps to it. First, we need to create a configuration for our CORS. Second, we need to apply this configuration to our SecurityFilterChain.
3.1. Custom CORS Configuration
For applications requiring specific CORS settings, we can define a custom CorsConfigurationSource. This configuration will specify the allowed origins, methods, headers, and other parameters that our application will understand:
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.setAllowedOrigins(List.of("http://localhost:1234"));
corsConfiguration.setAllowedMethods(List.of("GET", "POST"));
corsConfiguration.setAllowCredentials(true);
corsConfiguration.setAllowedHeaders(List.of("*"));
corsConfiguration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfiguration);
return source;
}
In short, we created a @Bean of type CorsConfigurationSource that is registered to an UrlBasedCorsConfigurationSource linked to the /** path. In this configuration, we allow requests from http://localhost:1234, specify allowed HTTP methods, and set other CORS parameters, such as credentials, headers, and max age.
Here these parameters signify:
allowedOrigins: The list of origins that are allowed to access the resources.allowedMethods: The list of HTTP methods that are allowed.allowCredentials: Whether the browser should include credentials such as cookies in the request.allowedHeaders: The list of headers that are allowed in the request.maxAge: The maximum time in seconds that the browser should cache the preflight response.
3.2. Setup CorsConfigurationSource in SecurityFilterChain
Now, we need to apply this custom CORS configuration to our SecurityFilterChain:
@Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
return http.csrf(AbstractHttpConfigurer::disable)
.cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(corsConfigurationSource()))
.authorizeHttpRequests(requests -> requests
// MORE CODE
)
.build();
}
This completes our CORS configuration in the SecurityFilterChain. We’ve successfully applied our custom CORS configuration to secure our application effectively.
4. Conclusion
In this article, we learned about the CORS configuration. First, we provided a way to disable CORS in the SecurityFilterChain. Then, we explored how to create a custom CORS configuration and apply it to the SecurityFilterChain.
We can look for the complete code on Github