SpringBoot @Crossorigin Put Requests to association resources not working anymore

Starting with 2.3.2 Spring data Rest and also in 2.3.3 Put Requests to association resources of Content-Type: text/uri-list are not working anymore, although the annotations @RepositoryRestResource @CrossOrigin are present. Browser shows No Access-Control-Allow-Origin header is present on the requested resource.

In 2.3.1 and earlier versions the approach worked.

Comment From: philwebb

I suspect this might be an issue that needs to be raised with the Spring Data Rest or Spring Framework team. AFAICT we've not changes configuration in Spring Boot.

@ajobra Are you able to provide a sample application along with some instructions so that we can try to replicate the issue locally?

Comment From: ajobra

Hi,

Patch Request doesn't work either:

package com.example.accessingdatarest;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@SpringBootApplication
public class AccessingDataRestApplication {

    public static void main(String[] args) {
        SpringApplication.run(AccessingDataRestApplication.class, args);
    }

}

package com.example.accessingdatarest;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity
public class Person {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private long id;

    private String firstName;
    private String lastName;

    public String getFirstName() {
        return firstName;
    }

    public void setFirstName(String firstName) {
        this.firstName = firstName;
    }

    public String getLastName() {
        return lastName;
    }

    public void setLastName(String lastName) {
        this.lastName = lastName;
    }
}

package com.example.accessingdatarest;

import java.util.List;

import org.springframework.data.repository.PagingAndSortingRepository;
import org.springframework.data.repository.query.Param;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;
import org.springframework.web.bind.annotation.CrossOrigin;

@RepositoryRestResource(collectionResourceRel = "people", path = "people")
@CrossOrigin(origins = {"http://someotherorigin.com"})
public interface PersonRepository extends PagingAndSortingRepository<Person, Long> {

    List<Person> findByLastName(@Param("name") String name);

}

I can post to http://localhost:8080/people by using Origin : http://someotherorigin.com in the header

but I cant patch using this origin using Spring Boot 2.3.3, with 2.2.7 it works fine

Comment From: philwebb

@ajobra Rather than attaching snippets of text, could we please have a complete application that we can download and run. You can either attach a zip file to this issue or paste a link to a github project that you've created.

Comment From: ajobra

Hi, I attach the zip file... accessing-data-rest.zip

Comment From: wilkinsona

Thanks for the sample, @ajobra, and for your patience while we found the time to look at it.

As Phil suspected, the change in behaviour is due to a change in Spring Data REST. By default, Cross-Origin requests are no longer accepted for PATCH and PUT requests.

You can change this behaviour using the methods attribute of @CrossOrigin:

@CrossOrigin(origins = {"http://someotherorigin.com"}, methods= {RequestMethod.GET,
        RequestMethod.HEAD, RequestMethod.PATCH, RequestMethod.POST, RequestMethod.PUT})

I'm not sure that this should be necessary, particularly as the javadoc for methods says that "by default the supported methods are the same as the ones to which a controller method is mapped". In this case, the "controller" is created for you by Spring Data REST and has methods mapped to PATCH and PUT.

I don't think there's anything we can do about this one from a Spring Boot perspective so I'll close this issue. Let's see what @odrotbohm thinks about things from a Spring Data REST perspective. It may be that an issue needs to be opened over there.

Comment From: philwebb

I've opened https://jira.spring.io/browse/DATAREST-1581

Comment From: odrotbohm

For reference, that's fixed in Spring Data REST, scheduled for inclusion in the upcoming services releases.