You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/servlet/integrations/cors.adoc
+13-3Lines changed: 13 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,8 +5,12 @@ Spring Framework provides {spring-framework-reference-url}web/webmvc-cors.html[f
5
5
CORS must be processed before Spring Security, because the pre-flight request does not contain any cookies (that is, the `JSESSIONID`).
6
6
If the request does not contain any cookies and Spring Security is first, the request determines that the user is not authenticated (since there are no cookies in the request) and rejects it.
7
7
8
+
[[cors-configuration-source]]
9
+
== Providing a `CorsConfigurationSource`
10
+
8
11
The easiest way to ensure that CORS is handled first is to use the `CorsFilter`.
9
-
Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`. Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present.
12
+
Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`.
13
+
Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present.
10
14
For example, the following will integrate CORS support within Spring Security:
11
15
12
16
[tabs]
@@ -55,6 +59,9 @@ The following listing does the same thing in XML:
55
59
</b:bean>
56
60
----
57
61
62
+
[[cors-spring-mvc-integration]]
63
+
== Spring MVC Integration
64
+
58
65
If you use Spring MVC's CORS support, you can omit specifying the `CorsConfigurationSource` and Spring Security uses the CORS configuration provided to Spring MVC:
59
66
60
67
[tabs]
@@ -111,8 +118,11 @@ The following listing does the same thing in XML:
111
118
</http>
112
119
----
113
120
114
-
If you have more than one `CorsConfigurationSource` bean, Spring Security won't automatically configure CORS support for you, that is because it cannot decide which one to use.
115
-
If you want to specify different `CorsConfigurationSource` for each `SecurityFilterChain`, you can pass it directly into the `.cors()` DSL.
121
+
[[cors-per-chain-configuration]]
122
+
== Per-Chain Configuration
123
+
124
+
If you have more than one `CorsConfigurationSource` bean, Spring Security won't automatically configure CORS support for you, because it cannot decide which one to use.
125
+
If you want to specify a different `CorsConfigurationSource` for each `SecurityFilterChain`, you can pass it directly into the `.cors()` DSL.
0 commit comments