Accueil Explorer Aide
S'inscrire Connexion
github
/
spring-security
miroir de https://github.com/spring-projects/spring-security
2
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: f66a5bab99
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
reactive
/
integrations
/
cors.adoc

cors.adoc 2.1 KB
Historique Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. 

  2. [[webflux-cors]]
    3. 

  3. = CORS
    4. 

  4. 

  5. Spring Framework provides https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html#webflux-cors-intro[first class support for CORS].
    6. 

  6. CORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the `JSESSIONID`).
    7. 

  7. If the request does not contain any cookies and Spring Security is first, the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.
    8. 

  8. 

  9. The easiest way to ensure that CORS is handled first is to use the `CorsWebFilter`.
    10. 

  10. Users can integrate the `CorsWebFilter` with Spring Security by providing a `CorsConfigurationSource`.
    11. 

  11. For example, the following will integrate CORS support within Spring Security:
    12. 

  12. 

  13. [tabs]
    14. 

  14. ======
    15. 

  15. Java::
    16. 

  16. +
    17. 

  17. [source,java,role="primary"]
    18. 

  18. ----
    19. 

  19. @Bean
    20. 

  20. CorsConfigurationSource corsConfigurationSource() {
    21. 

  21. 	CorsConfiguration configuration = new CorsConfiguration();
    22. 

  22. 	configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
    23. 

  23. 	configuration.setAllowedMethods(Arrays.asList("GET","POST"));
    24. 

  24. 	UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    25. 

  25. 	source.registerCorsConfiguration("/**", configuration);
    26. 

  26. 	return source;
    27. 

  27. }
    28. 

  28. ----
    29. 

  29. 

  30. Kotlin::
    31. 

  31. +
    32. 

  32. [source,kotlin,role="secondary"]
    33. 

  33. ----
    34. 

  34. @Bean
    35. 

  35. fun corsConfigurationSource(): CorsConfigurationSource {
    36. 

  36.     val configuration = CorsConfiguration()
    37. 

  37.     configuration.allowedOrigins = listOf("https://example.com")
    38. 

  38.     configuration.allowedMethods = listOf("GET", "POST")
    39. 

  39.     val source = UrlBasedCorsConfigurationSource()
    40. 

  40.     source.registerCorsConfiguration("/**", configuration)
    41. 

  41.     return source
    42. 

  42. }
    43. 

  43. ----
    44. 

  44. ======
    45. 

  45. 

  46. The following will disable the CORS integration within Spring Security:
    47. 

  47. 

  48. [tabs]
    49. 

  49. ======
    50. 

  50. Java::
    51. 

  51. +
    52. 

  52. [source,java,role="primary"]
    53. 

  53. ----
    54. 

  54. @Bean
    55. 

  55. SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    56. 

  56. 	http
    57. 

  57. 		// ...
    58. 

  58. 		.cors(cors -> cors.disable());
    59. 

  59. 	return http.build();
    60. 

  60. }
    61. 

  61. ----
    62. 

  62. 

  63. Kotlin::
    64. 

  64. +
    65. 

  65. [source,kotlin,role="secondary"]
    66. 

  66. ----
    67. 

  67. @Bean
    68. 

  68. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    69. 

  69.     return http {
    70. 

  70.         // ...
    71. 

  71.         cors {
    72. 

  72.             disable()
    73. 

  73.         }
    74. 

  74.     }
    75. 

  75. }
    76. 

  76. ----
    77. 

  77. ======
    78.