Spring MVC provides HandlerMappingIntrospector which exposes the HandlerMappings CORS configuration through the CorsConfigurationSource interface. WebFlux allows users to register a CorsConfigurationSource through AbstractHandlerMapping, but does not provide a way for looking up the CORS configuration. This is important because in order for CORS to work with Spring Security the CorsWebFilter needs to be placed after the headers but before authorization. We want to inject headers, but preflight requests will not contain credentials in them so all authorization will be rejected.
It would be nice if WebFlux allowed for exposing the CORS configuration similar to how MVC does.
Comment From: mbhave
This would solve this issue. The bug in Spring Boot causes pre-flight requests to the actuator endpoints to be rejected with the default security configuration. This can be fixed by adding .cors() to the MVC security configuration but it does not work with WebFlux due to the reasons @rwinch mentioned.
The bug exists in Spring Boot 2.2.x so it would be good to get a fix in Spring Framework 5.2.x.
Comment From: rstoyanchev
I'm scheduling tentatively for 5.3.x but I don't know yet how this will be addressed. The most obvious way to address this is to map the request to a target handler but performing full request mapping twice per request is hardly a good place to be. Either we can find a more optimal way to do it, or it is worth questioning whether we have the right approach to begin with.
Comment From: rstoyanchev
DispatcherHandler now implements PreFlightRequestHandler which can be invoked earlier during request handling since all it involves is finding the target handler and applying the CORS config. It does not invoke the target handler. This allows Spring Security to handle pre-flight requests through WebFlux from the filter chain, prior to authorization, and without the need to delegate to the rest of the filter chain.