CrossOrigin annotation in Spring Security

Cross-Origin Resource Sharing (CORS) is a mechanism that addresses the default browser behavior of restricting requests made from one domain to another. Without CORS, browsers prohibit such requests, known as cross-origin calls. For example, if a site is accessed from java4coding.com, the browser won't allow requests to api.java4coding.com.

However, there are scenarios where cross-origin calls are necessary. CORS allows you to specify which domains are permitted to make requests and what data can be shared between them. It operates through HTTP headers, with the key ones being Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers. These headers define allowed origins, permissible HTTP methods, and allowable headers in requests, respectively.

In Spring Security, these CORS headers are not included in the response by default. Without proper CORS configuration, if a cross-origin call is made, the browser expects to receive an Access-Control-Allow-Origin header indicating which origins are accepted by the server. If this header is missing, the browser rejects the response.

It's crucial to understand that CORS is not a security mechanism like authorization or CSRF protection; instead, it relaxes the rigid constraint against cross-domain calls. Even with restrictions applied, there are situations where the browser may allow cross-origin requests, depending on preflight requests made using the HTTP OPTIONS method. Preflight requests are initiated by the browser to test whether a cross-origin request should be permitted. The decision to make these preflight requests is handled by the browser, not the application. Despite not explicitly specifying CORS policies, these preflight requests may still occur, and it's essential to comprehend this behavior to avoid surprises. Overall, CORS is a mechanism primarily related to browser behavior and not a means of securing endpoints. Its purpose is to ensure that only allowed origin domains can make requests from specific browser pages.

How to allow requests from other domains using CrossOrigin annotation

In this example, we discuss how to configure CORS to allow requests from different domains using the @CrossOrigin annotation. The @CrossOrigin annotation can be placed directly above the method that defines the endpoint, allowing you to configure it using the allowed origins and methods. As you'll discover in this section, the advantage of using the @CrossOrigin annotation is its ability to simplify CORS configuration for each endpoint.

The value parameter of @CrossOrigin accepts an array, allowing you to define multiple origins. For instance, @CrossOrigin({"https://www.java4coding.com", "https://www.tools4testing.com"}). Additionally, you can specify allowed headers and methods using the allowedHeaders and methods attributes of the annotation. It's worth noting that for both origins and headers, you have the option to use the asterisk (*) to represent all headers or all origins. However, I advise exercising caution when employing this approach.