CORS with Spring Boot

CORS (Cross-origin resource sharing) allows a webpage to request additional resources into browser from other domains e.g. fonts, CSS or static images from CDN. CORS helps in serving web content from multiple domains into browsers who usually have the same-origin security policy.

Learn to enable Spring CORS support in Spring MVC application at method level and global level.

Read More: Java CORS Filter Example

Table of Contents

1. Method level CORS with @CrossOrigin
2. Global CORS configuration

1. Spring CORS – Method level with @CrossOrigin

Spring MVC provides @CrossOrigin annotation. This annotation marks the annotated method or type as permitting cross origin requests.

1.1. Default is Allow All

By default, @CrossOrigin allows all origins, all headers, the HTTP methods specified in the @RequestMapping annotation and a maxAge of 30 minutes.

We can override default CORS settings by giving value to annotation attributes :

AttributeDescription
originsList of allowed origins. It’s value is placed in the Access-Control-Allow-Origin header of both the pre-flight response and the actual response.
"*" – means that all origins are allowed. If undefined, all origins are allowed.
allowedHeadersList of request headers that can be used during the actual request. Value is used in preflight’s response header Access-Control-Allow-Headers.
"*" – means that all headers requested by the client are allowed. If undefined, all requested headers are allowed.
methodsList of supported HTTP request methods. If undefined, methods defined by RequestMapping annotation are used.
exposedHeadersList of response headers that the browser will allow the client to access. Value is set in actual response header Access-Control-Expose-Headers. If undefined, an empty exposed header list is used.
allowCredentialsIt determine whether browser should include any cookies associated with the request.

  • false – cookies should not included.
  • " " (empty string) – means undefined.
  • true – pre-flight response will include the header Access-Control-Allow-Credentials with value set to true.
  • If undefined, credentials are allowed.
maxAgeMaximum age (in seconds) of the cache duration for pre-flight responses. Value is set in header Access-Control-Max-Age.
If undefined, max age is set to 1800 seconds (30 minutes).

1.2. @CrossOrigin at Class or Controller Level

@CrossOrigin(origins = "*", allowedHeaders = "*")
@Controller
public class HomeController 
{
	@GetMapping(path="/")
	public String homeInit(Model model) {
		return "home";
	}
}

Read More – Spring 5 MVC Example

1.3. @CrossOrigin at Method Level

@Controller
public class HomeController 
{
	@CrossOrigin(origins = "*", allowedHeaders = "*")
	@GetMapping(path="/")
	public String homeInit(Model model) {
		return "home";
	}
}

1.4. @CrossOrigin Overridden at Method Level

homeInit() method will be accessible only from domain http://example.com. Rest other methods in HomeController will be accessible from all domains.

@Controller
@CrossOrigin(origins = "*", allowedHeaders = "*")
public class HomeController 
{
	@CrossOrigin(origins = "http://example.com")
	@GetMapping(path="/")
	public String homeInit(Model model) {
		return "home";
	}
}

2. Spring CORS – Global CORS configuration

2.1. Implement WebMvcConfigurer

To enable CORS for the whole application, use WebMvcConfigurer to add CorsRegistry.

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
@EnableWebMvc
public class CorsConfiguration implements WebMvcConfigurer
{
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedMethods("GET", "POST");
    }
}

2.2. WebMvcConfigurer Bean

In spring boot application, it is recommended to just declare a WebMvcConfigurer bean.

@Configuration
public class CorsConfiguration 
{
    @Bean
    public WebMvcConfigurer corsConfigurer() 
    {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedOrigins("http://localhost:8080");
            }
        };
    }
}

2.3. CORS with Spring Security

To enable CORS support through Spring security, configure CorsConfigurationSource bean and use HttpSecurity.cors() configuration.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.cors().and()
			//other config
	}

	@Bean
	CorsConfigurationSource corsConfigurationSource() 
	{
		CorsConfiguration configuration = new CorsConfiguration();
		configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
		configuration.setAllowedMethods(Arrays.asList("GET","POST"));
		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		source.registerCorsConfiguration("/**", configuration);
		return source;
	}
}

Drop me your questions in comments section.

Happy Learning !!

Leave a Reply

13 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments

About Us

HowToDoInJava provides tutorials and how-to guides on Java and related technologies.

It also shares the best practices, algorithms & solutions, and frequently asked interview questions.