SpringBoot Actuator doesn't use the CORS Configuration with default security configuration and Spring MVC

If Spring Security can add this as a default, we don't need to do anything. If Spring Security doesn't make this a default, we need to see how this can be done. Adding http.cors() here wouldn't work for Jersey because there is no CorsFilter or CorsConfigurationSource

Comment From: michael-simons

@wilkinsona pointed me at this ticket. I'm about to write some config for exactly having that feature with Actuator on Jersey.

Regarding Spring Security: Wouldn't that tangle Actuator and Security again?

Comment From: mbhave

If Spring Security added it as a default, Spring Boot wouldn't need to add anything extra and it would just rely on Spring Security's defaults. It wouldn't tangle Actuator and Security because there would be no actuator specific configuration in Spring Boot's security auto-config.

Comment From: mbhave

See #9548.

Comment From: mbhave

Unblocking this as we have a separate configuration for the management endpoints now in order to expose health and info. So even if Spring Security adds it as a default we would need to call .cors() in the management security auto-configuration.

Comment From: mbhave

I tagged the wrong issue.

Comment From: mbhave

Blocked on https://github.com/spring-projects/spring-framework/issues/26257

Comment From: mbhave

I've created a separate issue for Webflux.

Comment From: mbhave

Reopening this issue because adding cors will fail for Jersey. Spring Security throws an exception if .cors() is invoked without a CorsFilter or a CorsConfigurationSource bean.