CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls how web applications request resources from different domains. It allows servers to define which origins are permitted, ensuring secure cross-origin communication. In Spring Security, CORS helps manage and protect such interactions.
- Controls cross-origin requests by allowing or restricting access based on origin, methods, and headers.
- Configured on the server side using Spring Security to define allowed domains and request types.
- Works with HTTP headers (like Access-Control-Allow-Origin) to enable safe communication between different origins.
Working of CORS
- Browser sends a preflight (OPTIONS) request to check permission for cross-origin request.
- Server responds with allowed origins, methods, and headers.
- If permitted, browser sends the actual request; otherwise, it blocks it.
CORS Headers
CORS headers can be used to control how resources on the web page can be requested from another domain. They play a crucial role in defining and enforcing the security policies that determine which cross-origin requests are allowed or denied. Below is a detailed explanation of the key CORS headers:
1. Access-Control-Allow-Origin
- Defines which origins are allowed to access the resource and controls cross-origin access.
- Allows either all domains (*) or restricts access to a specific origin.
Example:
Access-Control-Allow-Origin: *
or
Access-Control-Allow-Origin: http://example.com/
2. Access-Control-Allow-Methods
- Specifies which HTTP methods are permitted when accessing the resource.
- Restricts operations like GET, POST, PUT, DELETE.
Example:
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
3. Access-Control-Allow-Headers
- Defines which headers can be included in cross-origin requests.
- Controls custom headers like Authorization and Content-Type.
Example:
Access-Control-Allow-Headers: Content-Type, Authorization
4. Access-Control-Allow-Credentials
- Indicates whether credentials like cookies or authentication data can be sent.
- Enables secure requests that require authentication.
Example:
Access-Control-Allow-Credentials: true
5. Access-Control-Expose-Headers
- Specifies which response headers are accessible to the client.
- Allows access to selected custom response headers.
Example:
Access-Control-Expose-Headers: Content-Length, X-Kuma-Revision
6. Access-Control-Max-Age
- Defines how long the preflight request result can be cached.
- Reduces repeated preflight requests and improves performance.
Example:
Access-Control-Max-Age: 3600
7. Access-Control-Request-Headers
- Indicates which headers will be used in the actual request (sent in preflight).
- Helps the server validate allowed headers before processing.
Example:
Access-Control-Request-Headers: Content-Type, Authorization
Implementation of Spring Security - CORS
This project demonstrates how to implement Cross-Origin Resource Sharing (CORS) in a Spring Boot application with Spring Security. The goal is to configure CORS headers to control which domains can access the application's resources while ensuring security.
Step 1: Create the Spring boot project
Create the new Spring Boot project using Spring Initializr and add the required dependencies,
- Spring Web
- Spring Security
- Lombok
- Spring DevTools
Once the project is created then the file structure will resemble the image below.
Step 2: Configure the application properties
Open the application.properties file and add the configuration for the spring security username and password of the application in the project.
spring.application.name=spring-security-cors
spring.security.user.name=user
spring.security.user.password=password
Step 3: Configure the Security Configuration class.
We will create the SecurityConfig class to configure Spring Security in the project. Go src -> org.example.springsecuritycors -> SecurityConfig and put the below code.
package org.example.springsecuritycors;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
return http.build();
}
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.addAllowedOrigin("http://localhost:8080");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
source.registerCorsConfiguration("/**", config);
return new CorsFilter(source);
}
}
Spring security can be implemented the integrate the CORS configuration with the Spring Security using the SecurityFilterChain of the Spring application.
- addMapping("/**"): It can applies the CORS configuration to all the endpoints of the application.
- allowedOrigins("http://example.com/"): It can allows the requests only from http://example.com/ of the application.
- allowedMethods("GET", "POST","PUT", "DELETE"): It can allows these http methods only of the Spring application.
- allowedHeaders("*"): It can allows all the headers of the application.
- allowCredentials(true): It can allows the cookies and other credentials to be included.
- maxAge(3600): It can sets the maximum age of the CORS preflight request cache of the application.
Step 4: Create the Controller class
We will create the HomeController class that will create the secure REST API of the spring project. Go src -> org.example.springsecuritycors -> HomeController and put the below code.
package org.example.springsecuritycors;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "Hello, CORS!";
}
}
Step 5: Main Class
No changes are required in the main class of the project.
package org.example.springsecuritycors;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class SpringSecurityCorsApplication {
public static void main(String[] args) {
SpringApplication.run(SpringSecurityCorsApplication.class, args);
}
}
pom.xml:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="https://maven.apache.org/POM/4.0.0" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.0</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>org.example</groupId>
<artifactId>spring-security-cors</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>spring-security-cors</name>
<description>spring-security-cors</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
Step 6: Run the Application
Now, we will run the application and then it will start at port 8080.
login Endpoint:
Endpoint Testing:
Step 7: Testing the Cross-Origin Request
- We can use the tool like the front-end application hosted on the http://example.com/ to make the GET request to the http://localhost:8080/hello.
- It ensures the request is successful and the response is "Hello, CORS!".