@CrossOrigin with @RepositoryRestResource doesn't work in Spring Boot 2.2 M2

[mraible]

I tried to recreate my Build a Basic CRUD App with Angular 7.0 and Spring Boot 2.1 using Spring Boot 2.2 and Angular 8 today. I made it up until the point of adding a new Car from the Angular client. When I try to do that, I get a CORS error from Spring Boot.

In Spring Boot 2.1, I was able to do the following and this no longer seems to work:

package com.okta.developer.demo;

import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;
import org.springframework.web.bind.annotation.CrossOrigin;

@RepositoryRestResource
@CrossOrigin(origins = "http://localhost:4200")
interface CarRepository extends JpaRepository<Car, Long> {
}

Steps to reproduce:

git clone git@github.com:oktadeveloper/okta-spring-boot-2-angular-8-example.git
cd okta-spring-boot-2-angular-8-example/server
./mvnw spring-boot:run

Then, in another terminal:

cd okta-spring-boot-2-angular-8-example/client
npm i
ng serve

Open http://localhost:4200 and click on Add, then enter a name and click Save.

[mbhave]

I don't think we changed anything in Boot related to CORS. There were some Spring Framework though that seem related. @sdeleuze could you take a look, please?

[mraible]

If I add a CorsFilter bean, it fixes the issue. In Spring Boot 2.1, I only needed to do this after integrating Spring Security.

@Bean
public FilterRegistrationBean<CorsFilter> simpleCorsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.setAllowedOrigins(Collections.singletonList("http://localhost:4200"));
    config.setAllowedMethods(Collections.singletonList("*"));
    config.setAllowedHeaders(Collections.singletonList("*"));
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean<CorsFilter> bean = new FilterRegistrationBean<>(new CorsFilter(source));
    bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
    return bean;
}

[sdeleuze]

@christophstrobl Could you (or somebody else from Spring Data REST team) please have a look if Spring Data REST has been updated to leverage AbstractHandlerMapping#hasCorsConfigurationSource introduced via spring-projects/spring-framework@d27b5d0?

[mbhave]

Doesn't look like there's anything we can do in Boot about this so I'll go ahead and close this one.

@mraible Please open an issue with Spring Data REST.

[odrotbohm]

I've filed DATAREST-1372 for further investigation.

@mraible – Do you think you can strip the problem down into a plain Java based test case. I'm afraid we can't and don't want to run anything JavaScript related in the Spring Data REST test base. Also it would help by removing hopefully unrelated aspects from the picture.
@sdeleuze – Can you elaborate on the commit in the newly created ticket? I wasn't aware of that change and it would be helpful if there was more transparent communication if changes require adaption of downstream parties to continue to work. All our CORS related tests still work. That's why I would've assumed everything to work just as in 2.1 (was or 5.1 repsectively).

[sdeleuze]

@odrotbohm I have added a link to the related upgrade guidelines in the JIRA issue. I warned and helped Boot team to handle these changes, but indeed forgot to warn you as well, apology for that. That's said it is surprising the tests still work if CORS handling is broken.

[Guneetgstar]

This also works:

override fun configureRepositoryRestConfiguration(config: RepositoryRestConfiguration) {
		config.corsRegistry
				.addMapping("/**")
				.allowedMethods("GET", "POST", "PUT", "DELETE")
				.allowedOrigins("*")
				.allowedHeaders("*")
	}