193.41421d14.js

(window.webpackJsonp=window.webpackJsonp||[]).push([[193],{617:function(t,e,r){"use strict";r.r(e);var n=r(56),i=Object(n.a)({},(function(){var t=this,e=t.$createElement,r=t._self._c||e;return r("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[r("h1",{attrs:{id:"cors"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#cors"}},[t._v("#")]),t._v(" CORS")]),t._v(" "),r("p",[t._v("Spring Framework provides "),r("a",{attrs:{href:"https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html#webflux-cors-intro",target:"_blank",rel:"noopener noreferrer"}},[t._v("first class support for CORS"),r("OutboundLink")],1),t._v(".\nCORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the "),r("code",[t._v("JSESSIONID")]),t._v(").\nIf the request does not contain any cookies and Spring Security is first, the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.")]),t._v(" "),r("p",[t._v("The easiest way to ensure that CORS is handled first is to use the "),r("code",[t._v("CorsWebFilter")]),t._v(".\nUsers can integrate the "),r("code",[t._v("CorsWebFilter")]),t._v(" with Spring Security by providing a "),r("code",[t._v("CorsConfigurationSource")]),t._v(".\nFor example, the following will integrate CORS support within Spring Security:")]),t._v(" "),r("p",[t._v("Java")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('@Bean\nCorsConfigurationSource corsConfigurationSource() {\n\tCorsConfiguration configuration = new CorsConfiguration();\n\tconfiguration.setAllowedOrigins(Arrays.asList("https://example.com"));\n\tconfiguration.setAllowedMethods(Arrays.asList("GET","POST"));\n\tUrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();\n\tsource.registerCorsConfiguration("/**", configuration);\n\treturn source;\n}\n')])])]),r("p",[t._v("Kotlin")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v('@Bean\nfun corsConfigurationSource(): CorsConfigurationSource {\n    val configuration = CorsConfiguration()\n    configuration.allowedOrigins = listOf("https://example.com")\n    configuration.allowedMethods = listOf("GET", "POST")\n    val source = UrlBasedCorsConfigurationSource()\n    source.registerCorsConfiguration("/**", configuration)\n    return source\n}\n')])])]),r("p",[t._v("The following will disable the CORS integration within Spring Security:")]),t._v(" "),r("p",[t._v("Java")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v("@Bean\nSecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n\thttp\n\t\t// ...\n\t\t.cors(cors -> cors.disable());\n\treturn http.build();\n}\n")])])]),r("p",[t._v("Kotlin")]),t._v(" "),r("div",{staticClass:"language- extra-class"},[r("pre",{pre:!0,attrs:{class:"language-text"}},[r("code",[t._v("@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n    return http {\n        // ...\n        cors {\n            disable()\n        }\n    }\n}\n")])])]),r("p",[r("RouterLink",{attrs:{to:"/en/exploits/http.html"}},[t._v("HTTP Requests")]),r("RouterLink",{attrs:{to:"/en/spring-security/rsocket.html"}},[t._v("RSocket")])],1)])}),[],!1,null,null,null);e.default=i.exports}}]);