How do you configure global CORS settings in Spring Boot?
Table of Contents
Introduction
Cross-Origin Resource Sharing (CORS) is a security feature implemented by browsers to restrict web pages from making requests to a domain different from the one that served the web page. In Spring Boot, CORS configuration is essential for controlling which domains can access resources from your server. By default, Spring Boot applications block requests from other domains, but you can configure CORS to allow cross-origin requests from trusted domains.
This guide will show you how to configure global CORS settings in a Spring Boot application, ensuring that all controllers or specific endpoints can handle requests from other origins.
Configuring Global CORS in Spring Boot
Spring Boot provides several ways to configure CORS globally, including using Java configuration classes or properties files. Here are the different approaches:
1. Using **WebMvcConfigurer** to Configure Global CORS
The most common way to configure global CORS settings is by implementing the WebMvcConfigurer interface in a configuration class. This allows you to define CORS mappings for the entire application.
Example:
In this example:
addMapping("/**"): This means that CORS is enabled for all endpoints in the application..allowedOrigins("http://example.com", "http://anotherdomain.com"): Only these domains are allowed to make requests to your API..allowedMethods("GET", "POST", "PUT", "DELETE"): Specifies which HTTP methods are allowed for cross-origin requests..allowedHeaders("*"): Allows all headers in the requests..allowCredentials(true): Allows cookies or credentials to be sent with the request..maxAge(3600): Caches the pre-flight response for 3600 seconds (1 hour) to reduce the number of pre-flight requests.
2. Using **@CrossOrigin** on Controller Methods
If you want to enable CORS on specific controller methods or classes, you can use the @CrossOrigin annotation directly on your controller or method. This is useful if you want to allow CORS for only certain endpoints and not globally.
Example:
In this example:
@CrossOrigin(origins = "http://example.com"): Allows onlyhttp://example.comto make cross-origin requests to the/productsendpoint.
You can also use @CrossOrigin at the class level to enable CORS for all methods within the class.
3. Using **application.properties** or **application.yml** for CORS Configuration
While Spring Boot doesn’t provide direct support for global CORS configuration in properties files, you can still configure some basic CORS settings using the application.properties or application.yml files. However, this approach only works for simple CORS configurations.
Example in application.properties:
This method is limited and doesn’t offer the full flexibility of Java configuration with WebMvcConfigurer, such as handling pre-flight requests or more complex rules.
4. Handling Pre-Flight Requests
A CORS pre-flight request is sent by the browser before the actual request if the request involves certain methods (like POST or PUT) or custom headers. Spring Boot automatically handles pre-flight requests when you configure global CORS with WebMvcConfigurer, but you can also customize the handling.
For example, you can add custom handling for pre-flight requests in your WebConfig:
Spring will automatically send a 200 OK response for pre-flight requests based on this configuration.
Conclusion
Configuring global CORS settings in Spring Boot is straightforward and essential for enabling cross-origin requests from trusted domains. By using WebMvcConfigurer, @CrossOrigin, or even simple configuration in application.properties, you can define how your application handles CORS for different HTTP methods and origins. This flexibility allows you to choose between a global configuration or more fine-grained control over specific API endpoints.