diff --git a/config/src/main/kotlin/org/springframework/security/config/web/servlet/CorsDsl.kt b/config/src/main/kotlin/org/springframework/security/config/web/servlet/CorsDsl.kt index 8d2825ffa6..a4b0d0ba68 100644 --- a/config/src/main/kotlin/org/springframework/security/config/web/servlet/CorsDsl.kt +++ b/config/src/main/kotlin/org/springframework/security/config/web/servlet/CorsDsl.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,15 +18,19 @@ package org.springframework.security.config.web.servlet import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.config.annotation.web.configurers.CorsConfigurer +import org.springframework.web.cors.CorsConfigurationSource /** * A Kotlin DSL to configure [HttpSecurity] CORS using idiomatic Kotlin code. * * @author Eleftheria Stein * @since 5.3 + * @property configurationSource the [CorsConfigurationSource] to use. */ @SecurityMarker class CorsDsl { + var configurationSource: CorsConfigurationSource? = null + private var disabled = false /** @@ -38,6 +42,7 @@ class CorsDsl { internal fun get(): (CorsConfigurer) -> Unit { return { cors -> + configurationSource?.also { cors.configurationSource(configurationSource) } if (disabled) { cors.disable() } diff --git a/config/src/test/kotlin/org/springframework/security/config/web/servlet/CorsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/web/servlet/CorsDslTests.kt index b9e23ec76d..0a16ebc054 100644 --- a/config/src/test/kotlin/org/springframework/security/config/web/servlet/CorsDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/web/servlet/CorsDslTests.kt @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -67,7 +67,7 @@ class CorsDslTests { @Test fun `CORS when CORS configuration source bean then responds with CORS header`() { - this.spring.register(CorsCrossOriginConfig::class.java).autowire() + this.spring.register(CorsCrossOriginBeanConfig::class.java).autowire() this.mockMvc.get("/") { @@ -79,7 +79,7 @@ class CorsDslTests { @EnableWebMvc @EnableWebSecurity - open class CorsCrossOriginConfig : WebSecurityConfigurerAdapter() { + open class CorsCrossOriginBeanConfig : WebSecurityConfigurerAdapter() { override fun configure(http: HttpSecurity) { http { cors { } @@ -135,4 +135,35 @@ class CorsDslTests { return source } } + + @Test + fun `CORS when CORS configuration source dsl then responds with CORS header`() { + this.spring.register(CorsCrossOriginBeanConfig::class.java).autowire() + + this.mockMvc.get("/") + { + header(HttpHeaders.ORIGIN, "https://example.com") + }.andExpect { + header { exists("Access-Control-Allow-Origin") } + } + } + + @EnableWebMvc + @EnableWebSecurity + open class CorsCrossOriginSourceConfig : WebSecurityConfigurerAdapter() { + override fun configure(http: HttpSecurity) { + val source = UrlBasedCorsConfigurationSource() + val corsConfiguration = CorsConfiguration() + corsConfiguration.allowedOrigins = listOf("*") + corsConfiguration.allowedMethods = listOf( + RequestMethod.GET.name, + RequestMethod.POST.name) + source.registerCorsConfiguration("/**", corsConfiguration) + http { + cors { + configurationSource = source + } + } + } + } }