Describe the bug After upgrade from Spring Security 5.x.x (Spring Boot 2.7.5) to Spring Security 6.0 (Spring Boot 3.0.4) my WebMvcConfigurer won't be recognized. Has something changed?
To Reproduce WebMvcConfigurer
import org.jetbrains.annotations.NotNull;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import java.util.List;
@Configuration
@EnableWebMvc
@ConfigurationProperties("cors")
public class CorsConfiguration implements WebMvcConfigurer {
private List<String> allowedOrigins;
private List<String> allowedMethods;
private Boolean credentials;
private List<String> exposedHeaders;
@Override
public void addCorsMappings(@NotNull CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(allowedOrigins.toArray(new String[0]))
.allowedMethods(allowedMethods.toArray(new String[0]))
.exposedHeaders(exposedHeaders.toArray(new String[0]))
.allowCredentials(credentials);
}
public List<String> getAllowedOrigins() {
return allowedOrigins;
}
public void setAllowedOrigins(List<String> allowedOrigins) {
this.allowedOrigins = allowedOrigins;
}
public List<String> getAllowedMethods() {
return allowedMethods;
}
public void setAllowedMethods(List<String> allowedMethods) {
this.allowedMethods = allowedMethods;
}
public Boolean getCredentials() {
return credentials;
}
public void setCredentials(Boolean credentials) {
this.credentials = credentials;
}
public List<String> getExposedHeaders() {
return exposedHeaders;
}
public void setExposedHeaders(List<String> exposedHeaders) {
this.exposedHeaders = exposedHeaders;
}
}
WebSecurityChain:
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableWebSecurity
public class WebSecurity {
private final JWTSecurityService securityService;
public WebSecurity(JWTSecurityService securityService) {
this.securityService = securityService;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors(Customizer.withDefault())
.csrf().disable().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling().authenticationEntryPoint((req, res, e) -> res.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
.addFilterBefore(new JwtTokenAuthenticationFilter(securityService), UsernamePasswordAuthenticationFilter.class)
.requiresChannel().
...;
return http.build();
}
}
Expected behavior In SpringBoot 2.7.5 it worked as expected. In SpringBoot 3 it fails due to CORSMissingAllowOrigin. The properties inside the CorsConfiguration are: allowedOrigin: "http://localhost:4200" allowedMethods: "*" credentials: true exposedHeaders: "Location"
Comment From: kandysh
with spring security you have to create a bean CorsConfigurationSource. And with the bean you can just do http.cors() as it runs it bydefault.
https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html
Comment From: Timeout-Timo
I just forgot to add @Configuration on Top of my WebSecurity-Class. It is now fixed! Thank you 😄