Spring Security Fail hard if a CorsFilter cannot be configured when cors() is called

For Webflux applications, if the security configuration is configured with .cors() and there is no bean of type CorsConfigurationSource, a CorsFilter is silently not added. It would be better to throw an exception in this case, which is how the servlet CorsConfigurer works.

Comment From: marcusdacoregio

Hi, @mbhave.

It would be better to throw an exception in this case, which is how the servlet CorsConfigurer works.

I could not simulate this exception when the CorsConfigurationSource does not exist for the CorsConfigurer#configure. Looking at the code, the CorsFilter is simply not added if there is no CorsConfigurationSource bean and Spring MVC is not present:

https://github.com/spring-projects/spring-security/blob/6c6aedf7725e2c9b9f2fdec5dfe81fc246d42623/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java#L81-L86

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.