Spring Security - CORS Configuration

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that allows or restricts web applications from accessing resources hosted on a different domain, protocol, or port. In Spring Security, CORS configuration helps define which external origins can communicate with the application while maintaining security. It is commonly used when a frontend application and backend API are hosted on different servers.

• Can be configured globally or at the controller level.
• Works through HTTP headers such as Access-Control-Allow-Origin.
• Commonly used in REST APIs, microservices, and frontend-backend architectures.

CORS Configuration Levels in Spring Security

CORS can be configured at two levels in a Spring Boot application:

1. Global Level Configuration

Global configuration applies the same CORS rules to all endpoints in the application.

• Centralized CORS management.
• Suitable when all APIs require the same CORS policy.

2. Controller-Level Configuration

Controller-level configuration applies CORS settings only to a specific controller or endpoint.

• Fine-grained control over individual APIs.
• Different endpoints can have different CORS policies.

Prerequisites

• Java Development Kit installed in your local system.
• Maven for building dependency management
• Basic understanding of the Spring Boot and Spring Security.

Implementation of Spring Security - CORS Configuration

Step 1: Create a new Spring Boot Project

Create a new spring boot project using spring initializr and add the below dependencies to it.

Dependencies:

• Spring Web
• Spring Security
• Lombok
• Spring DevTools

After creating the project, the folder structure in the IDE will look like the below image:

Step 2: Configure the Application Properties

Open the application.properties file and add the server port configuration of the project.

server.port=8080

Step 3: Create the SecurityConfig Class

Create a SecurityConfig class to configure Spring Security and enable CORS support.

• Enables CORS support using .cors().
• Disables CSRF for simplicity.

Explanation:

• SecurityConfig class configures security settings.
• securityFilterChain() method sets up CSRF disablement, CORS configuration, and HTTP Basic authentication.
• userDetailsService() method provides an in-memory user for testing purposes.

Step 4: Create the CorsConfig Class

Create a configuration class to define allowed origins, methods, and headers.

Explanation:

• Allows cross-origin requests from specified origins.
• addMapping("/**") applies CORS settings to all endpoints.
• allowedOrigins("http://localhost:3000") permits requests from the specified origin.
• allowCredentials(true) enables cookies and authentication credentials in requests.

Step 5: Create the HelloController Class

Create a simple REST controller to test CORS functionality.

Explanation:

• HelloController class defines a REST controller with @RestController and base mapping /api.
• getHello() method responds to GET /api/hello with "Hello, GET!".

Step 6: Main Class

No changes are required in the main class. It remains standard for a Spring Boot application.

Step 7: Writing the Test Cases

Create test cases to validate both security and CORS configurations.

• Verify authenticated requests.
• Verify requests originating from allowed domains.
• Ensure CORS headers are present in responses.

Explanation:

• SpringCorsApplicationTests class contains integration tests using @SpringBootTest.
• createHeaders() method generates HTTP headers with basic authentication and sets the request origin.
• testCorsConfiguration() and testPostHelloEndpoint() methods verify GET and POST requests respectively to /api/hello.

pom.xml file:

Step 8: Testing the Application

Execute tests using Maven (./mvnw test) to validate CORS and security configurations.

./mvnw test

Test Logs:

Test Results:

Step 9: Run the Application

Starts the Spring Boot application on port 8080.

Step 10: Test the Endpoint

Send a GET request:

GET http://localhost/8080/api/hello

Output:

By following the above steps, we can setup the global CORS configuration that allows specific origins, headers and methods of the application. It ensures that the application communicate with the frontend applications running on the different domain securely.