Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add WebFlux CORS Reference 

Fixes: gh-5870
This commit is contained in:
Rob Winch 2018-09-18 21:24:36 -05:00
parent 501c008526
commit 62db88ce6a
3 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc
View File

@ -26,7 +26,7 @@ Below are the highlights of the release.
** Added<<webflux-oauth2-resource-server,OAuth2 Resource Server>> support
** Added OAuth2 <<webclient,WebClient>> integration
* <<test-method>> - `@WithUserDetails` now works with `ReactiveUserDetailsService`
* <<cors>> - Support for CORS was added
* Added <<webflux-cors,CORS>> support
* Added support for the following <<webflux-headers,HTTP headers>>
** <<webflux-headers-csp,Content Security Policy>>
** <<webflux-headers-feature,Feature Policy>>

37
docs/manual/src/docs/asciidoc/_includes/reactive/cors.adoc Normal file
View File

@ -0,0 +1,37 @@
[[webflux-cors]]
== CORS
Spring Framework provides https://docs.spring.io/spring/docs/current/spring-framework-reference/web-reactive.html#webflux-cors-intro[first class support for CORS].
CORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the `JSESSIONID`).
If the request does not contain any cookies and Spring Security is first, the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.
The easiest way to ensure that CORS is handled first is to use the `CorsWebFilter`.
Users can integrate the `CorsWebFilter` with Spring Security by providing a `CorsConfigurationSource`.
For example, the following will integrate CORS support within Spring Security:
[source,java]
----
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("https://example.com"));
configuration.setAllowedMethods(Arrays.asList("GET","POST"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
----
The following will disable the CORS integration within Spring Security:
[source,java]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.cors().disable();
return http.build();
}
----

2
docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc
View File

@ -2,7 +2,7 @@
[[cors]]
== CORS
Spring Framework provides http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#cors[first class support for CORS].
Spring Framework provides https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#mvc-cors[first class support for CORS].
CORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the `JSESSIONID`).
If the request does not contain any cookies and Spring Security is first, the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.