fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource

- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.
This commit is contained in:
baezzys 2024-07-21 21:53:57 +09:00 committed by Marcus Hert Da Coregio
parent 0190763a02
commit 3d4bcf1b44
3 changed files with 44 additions and 7 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -47,7 +47,7 @@ import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.web.accept.ContentNegotiationStrategy;
import org.springframework.web.accept.HeaderContentNegotiationStrategy;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import static org.springframework.security.config.Customizer.withDefaults;
@ -55,6 +55,7 @@ import static org.springframework.security.config.Customizer.withDefaults;
* {@link Configuration} that exposes the {@link HttpSecurity} bean.
*
* @author Eleftheria Stein
* @author Jinwoo Bae
* @since 5.4
*/
@Configuration(proxyBeanMethods = false)
@ -131,8 +132,7 @@ class HttpSecurityConfiguration {
}
private void applyCorsIfAvailable(HttpSecurity http) throws Exception {
String[] beanNames = this.context.getBeanNamesForType(CorsConfigurationSource.class);
if (beanNames.length == 1) {
if (this.context.getBeanNamesForType(UrlBasedCorsConfigurationSource.class).length > 0) {
http.cors(withDefaults());
}
}

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -362,7 +362,7 @@ public class HttpSecurityConfigurationTests {
}
@Test
public void configureWhenCorsConfigurationSourceThenApplyCors() {
public void configureWhenCorsConfigurationSourceThenApplyCors() throws Exception {
this.spring.register(CorsConfigurationSourceConfig.class, DefaultWithFilterChainConfig.class).autowire();
SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
CorsFilter corsFilter = (CorsFilter) filterChain.getFilters()
@ -374,6 +374,16 @@ public class HttpSecurityConfigurationTests {
assertThat(configSource).isInstanceOf(UrlBasedCorsConfigurationSource.class);
}
// gh-15378
@Test
public void configureWhenNoUrlBasedCorsConfigThenNoCorsAppliedAndVaryHeaderNotPresent() throws Exception {
this.spring.register(NonUrlBasedCorsConfig.class, DefaultWithFilterChainConfig.class).autowire();
SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
assertThat(filterChain.getFilters()).noneMatch((filter) -> filter instanceof CorsFilter);
this.mockMvc.perform(get("/")).andExpect(header().doesNotExist("Vary"));
}
@Test
public void configureWhenAddingCustomDslUsingWithThenApplied() throws Exception {
this.spring.register(WithCustomDslConfig.class, UserDetailsConfig.class).autowire();
@ -673,6 +683,33 @@ public class HttpSecurityConfigurationTests {
}
@Configuration
@EnableWebSecurity
static class NonUrlBasedCorsConfig {
@Bean
CorsConfigurationSource corsConfigurationSource() {
return new CustomCorsConfigurationSource();
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http.build();
}
}
static class CustomCorsConfigurationSource implements CorsConfigurationSource {
@Override
public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(List.of("http://localhost:8080"));
return configuration;
}
}
static class DefaultConfigurer extends AbstractHttpConfigurer<DefaultConfigurer, HttpSecurity> {
boolean init;

View File

@ -6,7 +6,7 @@ CORS must be processed before Spring Security, because the pre-flight request do
If the request does not contain any cookies and Spring Security is first, the request determines that the user is not authenticated (since there are no cookies in the request) and rejects it.
The easiest way to ensure that CORS is handled first is to use the `CorsFilter`.
Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`.
Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`. Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present.
For example, the following will integrate CORS support within Spring Security:
[tabs]