Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CORS in Spring Security (Spring Boot 3)

Tags:

java

spring-boot

spring-security

spring-boot-3

I am currently struggling with Spring Security in my Spring Boot 3 applications. It was working in Spring Boot 2 but not since I tried to upgrade to version 3.

My authentication seems to work properly and the stuff that needs to be authenticated works. However when I do a preflight (OPTIONS) check it still returns me a 401 error.

My WebSecurityConfig:

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig {

@Bean
    public SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .cors(Customizer.withDefaults())
                .csrf(c -> c.disable())
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers(
                            AntPathRequestMatcher.antMatcher("/comments/**"), 
                            AntPathRequestMatcher.antMatcher("/requests/admin/**")
                        ).authenticated()
                        .anyRequest().permitAll())
                .authenticationProvider(authenticationProvider())
                .exceptionHandling(r -> r.authenticationEntryPoint(jwtAuthenticationEntryPoint))
                .sessionManagement(r -> r.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                // Add a filter to validate the tokens with every request
                .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
                ;
        return httpSecurity.build();
    }
}

I tried using a CorsConfigurationSource bean, but with no luck

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration corsConfig = new CorsConfiguration();
    corsConfig.applyPermitDefaultValues();
    corsConfig.setAllowCredentials(true);
    corsConfig.addAllowedMethod("GET");
    corsConfig.addAllowedMethod("PATCH");
    corsConfig.addAllowedMethod("POST");
    corsConfig.addAllowedMethod("OPTIONS");
    corsConfig.setAllowedOrigins(Arrays.asList("*"));
    corsConfig.setAllowedHeaders(Arrays.asList("*"));

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", corsConfig);
    return source;
}

And changed the .cors(Customizer.withDefaults()) to .cors(c -> c.configurationSource(corsConfigurationSource()))) in the SecutiryFilterChain.

A lot of links on the internet provide help on the issue but for SB2 instead of 3.

like image 779
Jurn Avatar asked Sep 13 '25 06:09

Jurn

1 Answers

i tried configuring CORS the same way you did, using http.cors(Customizer.withDefaults()) and http.cors(c -> c.configurationSource(corsConfigurationSource()) but both did not work.

however, this works for me

http.cors(cors -> cors.configurationSource(request -> {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedHeaders(Arrays.asList("*"));
        return configuration;
    }));
like image 171
gdthegeek Avatar answered Sep 14 '25 21:09

gdthegeek

Sign in to Comment

Related questions

How to activate LFS Support button in Eclipse?
How to connect to HSQLDB in-memory in Spring Boot tests to make a query
HashMap or ConcurrentHashMap for single writer / single reader scenario?
Finding previous sibling element using selenium xpath dynamically
Spring web flow how to add flash attribute when exiting from flow to external redirect
Java Object Assignment
1024k, guardsize: 0k, detached ERROR in my Java Spring boot aplication
Netty concatenates messages that arrive simultaneously

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!