springboot WelcomePageHandlerMapping does not honor CORS

I am using spring-boot-autoconfigure version 2.2.5.RELEASE.

I have added CORS mapping in a WebMvcConfiguer in my application:

@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOrigins("http://localhost:8123")
                .allowedMethods("GET", "PUT", "POST", "DELETE")
                .allowedHeaders("*")
                .allowCredentials(true);
    }

}

This works in my test setup, when I load http://localhost/version in an iframe embedded in http://localhost:8123

This fails with a CORS error when I load http://localhost/

This fails because WelcomePageHandlerMapping has a null CorsConfigurationSource.

Bug 1: WebMvcAutoConfiguration.welcomePageHandlerMapping() does not call WelcomePageHandlerMapping.setCorsConfigurations(getCorsConfigurations()).

WebMvcAutoConfiguration.requestMappingHandlerMapping does call this function (in super.requestMappingHandlerMapping), so for regular requests, CORS is handled correctly. welcomePageHandlerMapping() should do this as well.

Bug 2: A workaround could involve a custom configuration, or a PostConstruct handler, or something, that called WelcomePageHandlerMapping.setCorsConfigurations(). But WelcomePageHandlerMapping is a non-public class, so there is no clean way to do this.

Comment From: philwebb

This looks similar to the interceptors problem we fixed in 5f3364326b503ad1f4d784813df0a04c4b7d4dba