Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add subsections to cors

Browse Source 
This helps make the docs look more uniform after adding
PreFlightRequestFilter docs in its own section

Issue gh-18926
This commit is contained in:
Robert Winch
2026-03-25 14:49:06 -05:00
committed by Rob Winch
parent 4199240662
commit c6e60c84f9
1 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/modules/ROOT/pages/servlet/integrations/cors.adoc
+13 -3
View File
@@ -5,8 +5,12 @@ Spring Framework provides {spring-framework-reference-url}web/webmvc-cors.html[f
CORS must be processed before Spring Security, because the pre-flight request does not contain any cookies (that is, the `JSESSIONID`).
If the request does not contain any cookies and Spring Security is first, the request determines that the user is not authenticated (since there are no cookies in the request) and rejects it.
[[cors-configuration-source]]
== Providing a `CorsConfigurationSource`
The easiest way to ensure that CORS is handled first is to use the `CorsFilter`.
Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`. Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present.
Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`.
Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present.
For example, the following will integrate CORS support within Spring Security:
[tabs]
@@ -55,6 +59,9 @@ The following listing does the same thing in XML:
</b:bean>
----
[[cors-spring-mvc-integration]]
== Spring MVC Integration
If you use Spring MVC's CORS support, you can omit specifying the `CorsConfigurationSource` and Spring Security uses the CORS configuration provided to Spring MVC:
[tabs]
@@ -111,8 +118,11 @@ The following listing does the same thing in XML:
</http>
----
If you have more than one `CorsConfigurationSource` bean, Spring Security won't automatically configure CORS support for you, that is because it cannot decide which one to use.
If you want to specify different `CorsConfigurationSource` for each `SecurityFilterChain`, you can pass it directly into the `.cors()` DSL.
[[cors-per-chain-configuration]]
== Per-Chain Configuration
If you have more than one `CorsConfigurationSource` bean, Spring Security won't automatically configure CORS support for you, because it cannot decide which one to use.
If you want to specify a different `CorsConfigurationSource` for each `SecurityFilterChain`, you can pass it directly into the `.cors()` DSL.
[tabs]
======