SpringBoot Actuator doesn't use the CORS Configuration with default security configuration and Spring Webflux

See https://github.com/spring-projects/spring-boot/issues/11987#issuecomment-742826269

Comment From: mbhave

Moving to 2.4.x as the fix for this is in Spring Framework 5.3.x

Comment From: mbhave

It is currently blocked on Spring Framework adding a PreflightWebFilter and Spring Security then adding something in the DSL. The current workaround is to configure a custom security configuration as follows:

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, PreFlightHandler handler) throws Exception {
        http.authorizeExchange((exchanges) -> {
            exchanges.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
            exchanges.anyExchange().authenticated();
        });
        http.addFilterAt((e,c) -> {
            if (CorsUtils.isPreFlightRequest(e.getRequest())) {
                return handler.handlePreFlight(e);
            } else {
                return c.filter(e);
            }
        }, SecurityWebFiltersOrder.CORS);
        http.httpBasic(Customizer.withDefaults());
        http.formLogin(Customizer.withDefaults());
        return http.build();
    }
}

Comment From: philwebb

The framework change is in but Spring Security issue https://github.com/spring-projects/spring-security/issues/9703 is still open. We can make this work in 2.4.x then make it pretty when the security issue is fixed.