Spring CorsRegistration#combine is a noop

The call to CorsConfiguration::combine returns a new configuration object, which is ignored.

https://github.com/spring-projects/spring-framework/blob/607d918340c7a3a0282e1722354c689359dac201/spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java#L151-L154

https://github.com/spring-projects/spring-framework/blob/607d918340c7a3a0282e1722354c689359dac201/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java#L479-L501

Affects: 5.3

I was expecting the following to work:

@Configuration
class CorsGlobalConfiguration : WebFluxConfigurer {

    override fun addCorsMappings(corsRegistry: CorsRegistry) {
        val config = CorsConfiguration()
        config.addAllowedOrigin("http://localhost:3000")
        config.addAllowedMethod("*")
        config.applyPermitDefaultValues()

        corsRegistry.addMapping("/api/**").combine(config)
    }
}

This works:

@Configuration
class CorsGlobalConfiguration : WebFluxConfigurer {

    override fun addCorsMappings(corsRegistry: CorsRegistry) {
          corsRegistry.addMapping("/api/**")
                .allowedOrigins("http://localhost:3000")
                .allowedMethods("*")

    }
}

---

Comment From: sbrannen

Thanks for bringing this to our attention... as your first issue raised against the Spring Framework!

This applies to both Web MVC and WebFlux:

• org.springframework.web.reactive.config.CorsRegistration.combine(CorsConfiguration)
• org.springframework.web.servlet.config.annotation.CorsRegistration.combine(CorsConfiguration)

See also: #25716