Spring Security Automatically enable .cors() if CorsConfigurationSource bean is present

This would avoid Boot needing to add that to provide support for CORS out of the box.

Comment From: andersonkyle

IMHO enabling CORS isn't the right default for Spring Security, considering the other defaults currently set (CSRF, PasswordEncoders, etc.) Although CORS isn't entirely analogous to those other features, it still feels like it would be going against the grain, even if the allowed origin & methods are restricted.

Comment From: rwinch

This is really about if a user provides a CorsConfigurationSource then leveraging that by default vs explicitly having to configure CORS

Comment From: marcusdacoregio

This is done by Spring Security since the beginning, or I am missing something, see https://github.com/spring-projects/spring-security/blob/5db3e5464751b5f56f997f4e99dc6ddf9e7ee4d5/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java#L87-L91.

In other words, if you do http.cors(Customizer.withDefaults()) then Spring Security will also check if there is a bean of type CorsConfigurationSource to use it in the CorsFilter.

In addition to that, we do not want to configure CORS by default if the CorsConfigurationSource is present because it can become a more permissive secure default, and, Spring Security wants users to be explicit when they want to be more flexible on their security configuration.

I'll close this as invalid since this is already working as requested, but if I missed something we can reopen and continue the discussion.

Comment From: marcusdacoregio

Thanks to @jzheaux I realized that my previous comment was not giving a good argument not to do this. Instead, we should avoid boilerplate code by not requiring http.cors(...) if a CorsConfigurationSource bean is configured.

Josh's words were pretty convincing: "If an application does not have Spring Security and is using CorsConfigurationSource, then CORS is working for them. But then if they add Spring Security at that point, CORS breaks. They must add .cors() to then get it to work again. This seems broken.".