spring-security
spring-security copied to clipboard
spring-projects
Fail hard if a CorsFilter cannot be configured when cors() is called
For Webflux applications, if the security configuration is configured with .cors() and there is no bean of type CorsConfigurationSource, a CorsFilter is silently not added. It would be better to throw an exception in this case, which is how the servlet CorsConfigurer works.
Hi, @mbhave.
It would be better to throw an exception in this case, which is how the servlet CorsConfigurer works.
I could not simulate this exception when the CorsConfigurationSource does not exist for the CorsConfigurer#configure.
Looking at the code, the CorsFilter is simply not added if there is no CorsConfigurationSource bean and Spring MVC is not present:
https://github.com/spring-projects/spring-security/blob/6c6aedf7725e2c9b9f2fdec5dfe81fc246d42623/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CorsConfigurer.java#L81-L86
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.