FilterRegistrationBean necessary to enable CORS support with Spring Security?

问题

My resource server is secured by OAuth2 and uses this CORS configuration:

@Bean
CorsConfigurationSource corsConfigurationSource()
{
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(true);
    configuration.setAllowedOrigins(Arrays.asList("*"));
    configuration.setAllowedMethods(Arrays.asList("*"));
    configuration.setAllowedHeaders(Arrays.asList("*"));

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}

@Bean
FilterRegistrationBean<CorsFilter> corsFilter(CorsConfigurationSource corsConfigurationSource)
{
    CorsFilter corsFilter = new CorsFilter(corsConfigurationSource);

    FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>();
    bean.setFilter(corsFilter);
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
    return bean;
}

The configuration handles preflight requests as expected, but i'm wondering why it is necessary to create a custom FilterRegistrationBean and set its order, instead of using the official CORS support of HttpSecurity.cors() documented here:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.cors();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource()
    {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowCredentials(true);
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedHeaders(Arrays.asList("*"));

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

The above configuration doesn't handle preflight requests properly, i guess the CORS filter has lower precendece than the spring security filter.

Is there a downside of using the first FilterRegistrationBean version or why does the official cors configuration not work properly? Did i make a mistake in configuring the offical way?

I am using Spring Boot 2 with spring-security-oauth2-autoconfigure, but got the same behaviour in Spring Boot 1.5.x.

回答1:

Your WebSecurityConfig class is never used for any request, because the default order is 100, see WebSecurityConfigurerAdapter:

@Order(value=100)
public abstract class WebSecurityConfigurerAdapter
extends java.lang.Object
implements WebSecurityConfigurer<WebSecurity>

and the default order of the resource server configuration is 3, see EnableResourceServer:

The annotation creates a WebSecurityConfigurerAdapter with a hard-coded Order (of 3).

If you want to use your WebSecurityConfig class you have to change the order to a value lesser than 3. But be careful, because you could hide your resource server configuration.

If your application is also an authorization server, you have to be careful, too. Your authorization server configuration annotated with EnableAuthorizationServer could be not used. The default order of authorization server's security configuration is 0, see AuthorizationServerSecurityConfiguration.

If you only want to add CORS support to your resource server configuration, it is easier to override ResourceServerConfigurerAdapter#configure(HttpSecurity http).

来源：https://stackoverflow.com/questions/49424426/filterregistrationbean-necessary-to-enable-cors-support-with-spring-security