From 3d4bcf1b4483e927eec05f2c01c5359e0b714267 Mon Sep 17 00:00:00 2001 From: baezzys Date: Sun, 21 Jul 2024 21:53:57 +0900 Subject: [PATCH] fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource - Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present. - Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances. --- .../HttpSecurityConfiguration.java | 8 ++-- .../HttpSecurityConfigurationTests.java | 41 ++++++++++++++++++- .../ROOT/pages/servlet/integrations/cors.adoc | 2 +- 3 files changed, 44 insertions(+), 7 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java index ba962a4fad..39a3633db4 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -47,7 +47,7 @@ import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.web.accept.ContentNegotiationStrategy; import org.springframework.web.accept.HeaderContentNegotiationStrategy; -import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import static org.springframework.security.config.Customizer.withDefaults; @@ -55,6 +55,7 @@ import static org.springframework.security.config.Customizer.withDefaults; * {@link Configuration} that exposes the {@link HttpSecurity} bean. * * @author Eleftheria Stein + * @author Jinwoo Bae * @since 5.4 */ @Configuration(proxyBeanMethods = false) @@ -131,8 +132,7 @@ class HttpSecurityConfiguration { } private void applyCorsIfAvailable(HttpSecurity http) throws Exception { - String[] beanNames = this.context.getBeanNamesForType(CorsConfigurationSource.class); - if (beanNames.length == 1) { + if (this.context.getBeanNamesForType(UrlBasedCorsConfigurationSource.class).length > 0) { http.cors(withDefaults()); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java index 2d95161fc6..f8c075f72f 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2023 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -362,7 +362,7 @@ public class HttpSecurityConfigurationTests { } @Test - public void configureWhenCorsConfigurationSourceThenApplyCors() { + public void configureWhenCorsConfigurationSourceThenApplyCors() throws Exception { this.spring.register(CorsConfigurationSourceConfig.class, DefaultWithFilterChainConfig.class).autowire(); SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class); CorsFilter corsFilter = (CorsFilter) filterChain.getFilters() @@ -374,6 +374,16 @@ public class HttpSecurityConfigurationTests { assertThat(configSource).isInstanceOf(UrlBasedCorsConfigurationSource.class); } + // gh-15378 + @Test + public void configureWhenNoUrlBasedCorsConfigThenNoCorsAppliedAndVaryHeaderNotPresent() throws Exception { + this.spring.register(NonUrlBasedCorsConfig.class, DefaultWithFilterChainConfig.class).autowire(); + SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class); + assertThat(filterChain.getFilters()).noneMatch((filter) -> filter instanceof CorsFilter); + + this.mockMvc.perform(get("/")).andExpect(header().doesNotExist("Vary")); + } + @Test public void configureWhenAddingCustomDslUsingWithThenApplied() throws Exception { this.spring.register(WithCustomDslConfig.class, UserDetailsConfig.class).autowire(); @@ -673,6 +683,33 @@ public class HttpSecurityConfigurationTests { } + @Configuration + @EnableWebSecurity + static class NonUrlBasedCorsConfig { + + @Bean + CorsConfigurationSource corsConfigurationSource() { + return new CustomCorsConfigurationSource(); + } + + @Bean + SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + return http.build(); + } + + } + + static class CustomCorsConfigurationSource implements CorsConfigurationSource { + + @Override + public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOrigins(List.of("http://localhost:8080")); + return configuration; + } + + } + static class DefaultConfigurer extends AbstractHttpConfigurer { boolean init; diff --git a/docs/modules/ROOT/pages/servlet/integrations/cors.adoc b/docs/modules/ROOT/pages/servlet/integrations/cors.adoc index 115e9b8f9e..a2262215ac 100644 --- a/docs/modules/ROOT/pages/servlet/integrations/cors.adoc +++ b/docs/modules/ROOT/pages/servlet/integrations/cors.adoc @@ -6,7 +6,7 @@ CORS must be processed before Spring Security, because the pre-flight request do If the request does not contain any cookies and Spring Security is first, the request determines that the user is not authenticated (since there are no cookies in the request) and rejects it. The easiest way to ensure that CORS is handled first is to use the `CorsFilter`. -Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`. +Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`. Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present. For example, the following will integrate CORS support within Spring Security: [tabs]