You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After upgrading from Spring Boot 3.1.* to Spring Boot 3.2.0 which includes Spring Security 6.2.0, responses of REST services provided by @Controller classes have Vary headers if org.springframework.boot:spring-boot-starter-security is in classpath.
Is this intended? We immediately noticed this change since our CDN Akamai does not cache responses with this header.
The text was updated successfully, but these errors were encountered:
I believe this side effect is not intended, as HandlerMappingIntrospector implements CorsConfigurationSource and is instantiated by default by WebMvcConfigurationSupport in spring boot auto configure.
I agree that this is likely not the intent. It may be best for Spring Security to be more conservative for the time being and pick up only UrlBasedCorsConfigurationSource instances.
After upgrading from Spring Boot 3.1.* to Spring Boot 3.2.0 which includes Spring Security 6.2.0, responses of REST services provided by
@Controller
classes haveVary
headers iforg.springframework.boot:spring-boot-starter-security
is in classpath.Is this intended? We immediately noticed this change since our CDN Akamai does not cache responses with this header.
The text was updated successfully, but these errors were encountered: