Spring Security CORS documentation should use UrlBasedCorsConfigurationSource

Describe the bug Spring Security documentation: CORS provides an example on how to configure CORS using a @Bean of type CorsConfigurationSource. Starting from Spring Security 6.2.6 / 6.3.3 it does not work because it requires a @Bean of type UrlBasedCorsConfigurationSource (because of the fix for #15378, line 135 in #3d4bcf1).

To Reproduce Prepare a basic Spring Security app, provide the following bean:

@Bean
CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

and observe the CORS headers are not returned for an authorized GET with Origin: https://example.com.

Update the above example to return UrlBasedCorsConfigurationSource and observe the CORS headers are now properly returned.

Note: the example with CorsConfigurationSource also did not work in previous versions (pre-6.2.6 / 6.3.3) when Spring Web was used, because HttpSecurityConfiguration#applyCorsIfAvailable required exactly one bean of type CorsConfiguration, and there was already one registered by WebMvcConfigurationSupport#mvcHandlerMappingIntrospector.

Expected behavior Update Spring Security documentation with UrlBasedCorsConfigurationSource: * https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html - the example and description below * (possibly also) https://docs.spring.io/spring-security/reference/reactive/integrations/cors.html

Sample

A minimal reproducible example can be found here.

Comment From: jzheaux

Thanks for the report, @mgocd. Are you able to contribute a PR to 6.2.x that updates the documentation?

Comment From: petrovskimario

I can provide a PR if this is open, however on 6.2.x i cannot find this Bean, all of them are updated with UrlBasedCorsConfigurationSource.

In 6.1.x i see the mentioned Bean

Comment From: jzheaux

Apologies, @petrovskimario, the ticket is just out of date. This was addressed in b9f051d15b31239fbc7d9e26c31ad97e08049375. Thanks for your willingness to help!