Spring Security Response header Vary since Spring Security 6.2.0

After upgrading from Spring Boot 3.1.* to Spring Boot 3.2.0 which includes Spring Security 6.2.0, responses of REST services provided by @Controller classes have Vary headers if org.springframework.boot:spring-boot-starter-security is in classpath.

Is this intended? We immediately noticed this change since our CDN Akamai does not cache responses with this header.

Comment From: malaquf

Hi @renetrefft , we also noticed this issue and I believe this is the commit that introduces it. Now CorsFilter is configured by default if CorsConfigurationSource is present.

Comment From: malaquf

I believe this side effect is not intended, as HandlerMappingIntrospector implements CorsConfigurationSource and is instantiated by default by WebMvcConfigurationSupport in spring boot auto configure.

Comment From: jzheaux

I agree that this is likely not the intent. It may be best for Spring Security to be more conservative for the time being and pick up only UrlBasedCorsConfigurationSource instances.

Comment From: baezzys

Hi @jzheaux I'd like to contribute to this issue. Can I work on it?

Comment From: marcusdacoregio

Closed via https://github.com/spring-projects/spring-security/commit/3d4bcf1b4483e927eec05f2c01c5359e0b714267

Comment From: piotrooo

I think this change should be interpreted as a breaking change since, after the update from 3.3.2 to 3.3.3, it is no longer working.

FYI @marcusdacoregio, @baezzys and @jzheaux

@Configuration
public class CorsWebConfiguration implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/web/**")
                .allowedOriginPatterns("https://*.example.com")
                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD");
    }
}