Open in app

Sign in

Write

Sign in

Guide to CORS in Spring Boot

Aakash Sorathiya
TechPanel
Published in
2 min readMar 23, 2021

What is CORS?

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources.

For example, web app on domain http://domaina.com makes the HttpRequest to a web app on domain http://domainb.com.

How CORS work?

In modern browsers due to security reasons cross-origin HTTP request is not allowed.

Whenever there is a CORS request browser will send a preflight request prior to sending the actual request to find out whether CORS request is valid or not.

The preflight request is an OPTIONS request made to the same HTTP path as the actual request, with a couple of HTTP headers:

  • Origin — The origin header that would be included with the actual request being made by the website.
  • Access-Control-Request-Method — The method of the actual request being made by the website.
  • Access-Control-Request-Headers — A comma-separated list of headers that would be included in the actual request.

If web server wish to support the CORS request, it must respond to the preflight request with the following headers:

  • Access-Control-Allow-Origin — The whitelisted origin, or ‘*’
  • Access-Control-Allow-Methods — A comma-separated list of HTTP methods the web server wishes to permit for cross-origin requests
  • Access-Control-Allow-Headers — A comma-separated list of HTTP headers the web server wishes to permit for cross-origin requests

If the preflight request fails browser will not send the original request to the server.

Configuring CORS in SpringBoot application

To enable web security in spring boot we will first add the maven dependency spring-starter-security in pom file

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.3.9.RELEASE</version>
</dependency>

Now we will add configuration class to set config for CORS

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().configurationSource(corsConfigurationSource());
    }    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST"));
        configuration.setAllowedHeaders(Collections.singletonList("*"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

According to the above configs the response of the preflight request will look like:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: *

References

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Cors
Spring Boot
Security

--

--

Aakash Sorathiya
TechPanel

Written by Aakash Sorathiya

96 Followers
Editor for

A software developer with a strong passion for self-improvement.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams