From 64628dc8cb78f9a23137a308b8cd2f973d326569 Mon Sep 17 00:00:00 2001
From: Sebastien Deleuze <sdeleuze@pivotal.io>
Date: Tue, 28 Jun 2016 14:43:53 +0200
Subject: [PATCH] Add CorsFilter documentation

---
 src/asciidoc/web-cors.adoc | 40 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/asciidoc/web-cors.adoc b/src/asciidoc/web-cors.adoc
index e0a404efe4e..d32a095f16b 100644
--- a/src/asciidoc/web-cors.adoc
+++ b/src/asciidoc/web-cors.adoc
@@ -203,4 +203,42 @@ It can be provided in various ways:
  * Handlers can implement the {api-spring-framework}/web/cors/CorsConfigurationSource.html[`CorsConfigurationSource`]
    interface (like https://github.com/spring-projects/spring-framework/blob/master/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/ResourceHttpRequestHandler.java[`ResourceHttpRequestHandler`]
    now does) in order to provide a {api-spring-framework}/web/cors/CorsConfiguration.html[CorsConfiguration]
-   instance for each request.
\ No newline at end of file
+   instance for each request.
+
+== Filter based CORS support
+
+In order to support CORS with filter-based security frameworks like
+http://projects.spring.io/spring-security/[Spring Security], or
+with other libraries that do not support natively CORS, Spring Framework also
+provides a http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/filter/CorsFilter.html[`CorsFilter`].
+Instead of using `@CrossOrigin` or `WebMvcConfigurer#addCorsMappings(CorsRegistry)`, you
+need to register a custom filter defined like bellow:
+
+[source,java,indent=0]
+----
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+public class MyCorsFilter extends CorsFilter {
+
+	public MyCorsFilter() {
+		super(configurationSource());
+	}
+
+	private static UrlBasedCorsConfigurationSource configurationSource() {
+		CorsConfiguration config = new CorsConfiguration();
+		config.setAllowCredentials(true);
+		config.addAllowedOrigin("http://domain1.com");
+		config.addAllowedHeader("*");
+		config.addAllowedMethod("*");
+		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+		source.registerCorsConfiguration("/**", config);
+		return source;
+	}
+}
+----
+
+You need to ensure that `CorsFilter` is ordered before the other filters, see
+https://spring.io/blog/2015/06/08/cors-support-in-spring-framework#filter-based-cors-support[this blog post]
+about how to configure Spring Boot accordingly.