Add Support for PreFlightRequestFilter

Closes gh-18926

Author: rwinch

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java

@@ -21,15 +21,18 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.util.Assert;
-import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.PreFlightRequestHandler;
 import org.springframework.web.filter.CorsFilter;
+import org.springframework.web.filter.PreFlightRequestFilter;
 
 /**
- * Adds {@link CorsFilter} to the Spring Security filter chain. If a bean by the name of
- * corsFilter is provided, that {@link CorsFilter} is used. Else if
- * corsConfigurationSource is defined, then that {@link CorsConfiguration} is used.
+ * Adds {@link CorsFilter} or {@link PreFlightRequestFilter} to the Spring Security filter
+ * chain. If a bean by the name of corsFilter is provided, that {@link CorsFilter} is
+ * used. Else if corsConfigurationSource is defined, then that
+ * {@link CorsConfigurationSource} is used. If a {@link PreFlightRequestHandler} is set on
+ * this configurer, {@link CorsFilter} is not used and {@link PreFlightRequestFilter} is
+ * registered instead.
  *
  * @param <H> the builder to return.
  * @author Rob Winch
@@ -43,6 +46,8 @@ public class CorsConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHt
 
 	private CorsConfigurationSource configurationSource;
 
+	private PreFlightRequestHandler preFlightRequestHandler;
+
 	/**
 	 * Creates a new instance
 	 *
@@ -56,30 +61,85 @@ public CorsConfigurer<H> configurationSource(CorsConfigurationSource configurati
 		return this;
 	}
 
+	/**
+	 * Use the given {@link PreFlightRequestHandler} for CORS preflight requests. When
+	 * set, {@link CorsFilter} is not used. Cannot be combined with
+	 * {@link #configurationSource(CorsConfigurationSource)}.
+	 * @param preFlightRequestHandler the handler to use
+	 * @return the {@link CorsConfigurer} for additional configuration
+	 */
+	public CorsConfigurer<H> preFlightRequestHandler(PreFlightRequestHandler preFlightRequestHandler) {
+		this.preFlightRequestHandler = preFlightRequestHandler;
+		return this;
+	}
+
 	@Override
 	public void configure(H http) {
 		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
+
+		if (this.configurationSource != null && this.preFlightRequestHandler != null) {
+			throw new IllegalStateException(
+					"Cannot configure both a CorsConfigurationSource and a PreFlightRequestHandler on CorsConfigurer");
+		}
+
 		CorsFilter corsFilter = getCorsFilter(context);
-		Assert.state(corsFilter != null, () -> "Please configure either a " + CORS_FILTER_BEAN_NAME + " bean or a "
-				+ CORS_CONFIGURATION_SOURCE_BEAN_NAME + "bean.");
-		http.addFilter(corsFilter);
+		if (corsFilter != null) {
+			http.addFilter(corsFilter);
+			return;
+		}
+		PreFlightRequestHandler preFlightRequestHandlerBean = getPreFlightRequestHandler(context);
+		if (preFlightRequestHandlerBean != null) {
+			http.addFilterBefore(new PreFlightRequestFilter(preFlightRequestHandlerBean), CorsFilter.class);
+			return;
+		}
+		throw new NoSuchBeanDefinitionException(CorsConfigurationSource.class,
+				"Failed to find a bean that implements `CorsConfigurationSource`. Please ensure that you are using "
+						+ "`@EnableWebMvc`, are publishing a `WebMvcConfigurer`, or are publishing a `CorsConfigurationSource` bean.");
+	}
+
+	private PreFlightRequestHandler getPreFlightRequestHandler(ApplicationContext context) {
+		if (this.configurationSource != null) {
+			return null;
+		}
+		if (this.preFlightRequestHandler != null) {
+			return this.preFlightRequestHandler;
+		}
+		if (context == null) {
+			return null;
+		}
+		if (context.getBeanNamesForType(PreFlightRequestHandler.class).length > 0) {
+			return context.getBean(PreFlightRequestHandler.class);
+		}
+		return null;
+	}
+
+	private CorsConfigurationSource getCorsConfigurationSource(ApplicationContext context) {
+		if (context == null) {
+			return null;
+		}
+		boolean containsCorsSource = context.containsBeanDefinition(CORS_CONFIGURATION_SOURCE_BEAN_NAME);
+		if (containsCorsSource) {
+			return context.getBean(CORS_CONFIGURATION_SOURCE_BEAN_NAME, CorsConfigurationSource.class);
+		}
+		return MvcCorsFilter.getMvcCorsConfigurationSource(context);
 	}
 
 	private CorsFilter getCorsFilter(ApplicationContext context) {
+		if (this.preFlightRequestHandler != null) {
+			return null;
+		}
 		if (this.configurationSource != null) {
 			return new CorsFilter(this.configurationSource);
 		}
-		boolean containsCorsFilter = context.containsBeanDefinition(CORS_FILTER_BEAN_NAME);
+		boolean containsCorsFilter = context != null && context.containsBeanDefinition(CORS_FILTER_BEAN_NAME);
 		if (containsCorsFilter) {
 			return context.getBean(CORS_FILTER_BEAN_NAME, CorsFilter.class);
 		}
-		boolean containsCorsSource = context.containsBean(CORS_CONFIGURATION_SOURCE_BEAN_NAME);
-		if (containsCorsSource) {
-			CorsConfigurationSource configurationSource = context.getBean(CORS_CONFIGURATION_SOURCE_BEAN_NAME,
-					CorsConfigurationSource.class);
-			return new CorsFilter(configurationSource);
+		CorsConfigurationSource corsConfigurationSource = getCorsConfigurationSource(context);
+		if (corsConfigurationSource != null) {
+			return new CorsFilter(corsConfigurationSource);
 		}
-		return MvcCorsFilter.getMvcCorsFilter(context);
+		return null;
 	}
 
 	static class MvcCorsFilter {
@@ -92,15 +152,11 @@ static class MvcCorsFilter {
 		 * @param context
 		 * @return
 		 */
-		private static CorsFilter getMvcCorsFilter(ApplicationContext context) {
+		private static CorsConfigurationSource getMvcCorsConfigurationSource(ApplicationContext context) {
 			if (context.containsBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME)) {
-				CorsConfigurationSource corsConfigurationSource = context
-					.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, CorsConfigurationSource.class);
-				return new CorsFilter(corsConfigurationSource);
+				return context.getBean(HANDLER_MAPPING_INTROSPECTOR_BEAN_NAME, CorsConfigurationSource.class);
 			}
-			throw new NoSuchBeanDefinitionException(CorsConfigurationSource.class,
-					"Failed to find a bean that implements `CorsConfigurationSource`. Please ensure that you are using "
-							+ "`@EnableWebMvc`, are publishing a `WebMvcConfigurer`, or are publishing a `CorsConfigurationSource` bean.");
+			return null;
 		}
 
 	}

config/src/main/kotlin/org/springframework/security/config/annotation/web/CorsDsl.kt

@@ -19,18 +19,22 @@ package org.springframework.security.config.annotation.web
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.CorsConfigurer
 import org.springframework.web.cors.CorsConfigurationSource
+import org.springframework.web.cors.PreFlightRequestHandler
 
 /**
  * A Kotlin DSL to configure [HttpSecurity] CORS using idiomatic Kotlin code.
  *
  * @author Eleftheria Stein
  * @since 5.3
  * @property configurationSource the [CorsConfigurationSource] to use.
+ * @property preFlightRequestHandler the [PreFlightRequestHandler] to use instead of [CorsFilter].
  */
 @SecurityMarker
 class CorsDsl {
     var configurationSource: CorsConfigurationSource? = null
 
+    var preFlightRequestHandler: PreFlightRequestHandler? = null
+
     private var disabled = false
 
     /**
@@ -42,7 +46,8 @@ class CorsDsl {
 
     internal fun get(): (CorsConfigurer<HttpSecurity>) -> Unit {
         return { cors ->
-            configurationSource?.also { cors.configurationSource(configurationSource) }
+            configurationSource?.also { cors.configurationSource(it) }
+            preFlightRequestHandler?.also { cors.preFlightRequestHandler(it) }
             if (disabled) {
                 cors.disable()
             }