corsConfigurationSource and customCorsFilter not being called

### Summary

I am trying to allow multiple domains to access the api, but they are blocked by CORS preflight check. When I configure the CorsConfiguration. It can never be picked up. I tried corsConfigurationSource, addCorsMappings in WebMvcConfigurer and customCORSFilter, but none of them are picked up.

### Actual Behavior

The original default corsFilter is always called.

### Expected Behavior

One of the custom filters, or configurations should have been picked up and used in the system.

### Configuration

WebSecurityConfig.java
```
@Configuration
@ComponentScan("config")
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    UserDetailsServiceImpl userDetailsService;


    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors()
                .and()
//        http.addFilterBefore(customCorsFilter(), SessionManagementFilter.class)
//  tried this before. not working either
            .authorizeRequests()
                .antMatchers("/", "/static/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/").permitAll()
                .loginProcessingUrl("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(successHandler())
                .failureHandler(failureHandler())
                .and()
            .logout()
                .logoutSuccessUrl("/successfulLogout.html");
    }

    CustomCorsFilter customCorsFilter() {
        CustomCorsFilter filter = new CustomCorsFilter();
        return filter;
    }

    @Bean(name="corsConfigurationSource")
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("http://localhost:8082"));
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "OPTIONS", "DELETE", "PUT"));
        configuration.setAllowedHeaders(Arrays.asList("Content-Type", "content-type", "x-requested-with", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "x-auth-token", "x-app-id", "Origin","Accept", "X-Requested-With", "Access-Control-Request-Method", "Access-Control-Request-Headers"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Autowired
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authProvider());
    }

    @Bean
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        authProvider.setPasswordEncoder(encoder());
        return authProvider;
    }

    @Bean
    public PasswordEncoder encoder() {
        return new MessageDigestPasswordEncoder("md5");
    }

    private AuthenticationFailureHandler failureHandler() {
           return new SimpleUrlAuthenticationFailureHandler() {
               public void onAuthenticationFailure(HttpServletRequest request,
                                                   HttpServletResponse response, AuthenticationException exception)
                       throws IOException, ServletException {
                   response.setContentType("text/html;charset=UTF-8");
                   response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed. Wrong username or password or both");
               }
           };
       }


       private AuthenticationSuccessHandler successHandler() {
           return new SimpleUrlAuthenticationSuccessHandler() {
               public void onAuthenticationSuccess(HttpServletRequest request,
                       HttpServletResponse response, Authentication authentication)
                       throws IOException, ServletException {
               }
           };
       }
}

```

WebMvcApplicationContext.java
```
public class WebMvcApplicationContext
        implements WebMvcConfigurer {

   @Bean
   public InternalResourceViewResolver resolver() {
      InternalResourceViewResolver resolver = new InternalResourceViewResolver();
      return resolver;
   }

    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/**")
                .addResourceLocations("/", "classpath:/static/")
                .setCachePeriod(31556926);
    }
   @Bean
   public MessageSource messageSource() {
      ResourceBundleMessageSource source = new ResourceBundleMessageSource();
      source.setBasename("messages");
      return source;
   }

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
            .allowedOrigins("http://localhost:8082")
            .allowedMethods("GET", "POST", "OPTIONS")
            .allowedHeaders("Content-Type", "content-type", "x-requested-with", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "x-auth-token", "x-app-id", "Origin","Accept", "X-Requested-With", "Access-Control-Request-Method", "Access-Control-Request-Headers");
    }
}

```

CustomCorsFilter.java
```
public class CustomCorsFilter
        implements Filter {

    public void CustomCorsFilter() {}
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        HttpServletRequest request= (HttpServletRequest) servletRequest;

        response.setHeader("Access-Control-Allow-Origin", "http://localhost:8082");
        response.setHeader("Access-Control-Allow-Methods", "GET,POST,DELETE,PUT,OPTIONS");
        response.setHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Origin, cache-control");
        response.setHeader("Access-Control-Allow-Credentials", "true");
        response.setHeader("Access-Control-Max-Age", "180");
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override
    public void destroy() {

    }
}
```
### Version

spring-webmvc 5.0.0.RELEASE
spring-security-core 5.0.0.RELEASE
spring-security-config 5.0.0.RELEASE
spring-security-taglib 5.0.0.RELEASE




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

corsConfigurationSource and customCorsFilter not being called #4971

Summary

Actual Behavior

Expected Behavior

Configuration

Version

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

corsConfigurationSource and customCorsFilter not being called #4971

Description

Summary

Actual Behavior

Expected Behavior

Configuration

Version

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions