`CorsRegistration#combine` is a noop #26877

bertwin · 2021-04-29T12:26:39Z

The call to CorsConfiguration::combine returns a new configuration object, which is ignored.

spring-framework/spring-webflux/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java

Lines 151 to 154 in 607d918

    
           public CorsRegistration combine(CorsConfiguration other) { 
        
           	this.config.combine(other); 
        
           	return this; 
        
           }

spring-framework/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java

Lines 479 to 501 in 607d918

    
           public CorsConfiguration combine(@Nullable CorsConfiguration other) { 
        
           	if (other == null) { 
        
           		return this; 
        
           	} 
        
           	// Bypass setAllowedOrigins to avoid re-compiling patterns 
        
           	CorsConfiguration config = new CorsConfiguration(this); 
        
           	List<String> origins = combine(getAllowedOrigins(), other.getAllowedOrigins()); 
        
           	List<OriginPattern> patterns = combinePatterns(this.allowedOriginPatterns, other.allowedOriginPatterns); 
        
           	config.allowedOrigins = (origins == DEFAULT_PERMIT_ALL && !CollectionUtils.isEmpty(patterns) ? null : origins); 
        
           	config.allowedOriginPatterns = patterns; 
        
           	config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods())); 
        
           	config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders())); 
        
           	config.setExposedHeaders(combine(getExposedHeaders(), other.getExposedHeaders())); 
        
           	Boolean allowCredentials = other.getAllowCredentials(); 
        
           	if (allowCredentials != null) { 
        
           		config.setAllowCredentials(allowCredentials); 
        
           	} 
        
           	Long maxAge = other.getMaxAge(); 
        
           	if (maxAge != null) { 
        
           		config.setMaxAge(maxAge); 
        
           	} 
        
           	return config; 
        
           }

Affects: 5.3

I was expecting the following to work:

@Configuration
class CorsGlobalConfiguration : WebFluxConfigurer {

    override fun addCorsMappings(corsRegistry: CorsRegistry) {
        val config = CorsConfiguration()
        config.addAllowedOrigin("http://localhost:3000")
        config.addAllowedMethod("*")
        config.applyPermitDefaultValues()

        corsRegistry.addMapping("/api/**").combine(config)
    }
}

This works:

@Configuration
class CorsGlobalConfiguration : WebFluxConfigurer {

    override fun addCorsMappings(corsRegistry: CorsRegistry) {
          corsRegistry.addMapping("/api/**")
                .allowedOrigins("http://localhost:3000")
                .allowedMethods("*")

    }
}

The text was updated successfully, but these errors were encountered:

sbrannen · 2021-04-29T15:22:25Z

Thanks for bringing this to our attention... as your first issue raised against the Spring Framework!

This applies to both Web MVC and WebFlux:

org.springframework.web.reactive.config.CorsRegistration.combine(CorsConfiguration)
org.springframework.web.servlet.config.annotation.CorsRegistration.combine(CorsConfiguration)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`CorsRegistration#combine` is a noop #26877

`CorsRegistration#combine` is a noop #26877

bertwin commented Apr 29, 2021

sbrannen commented Apr 29, 2021

CorsRegistration#combine is a noop #26877

CorsRegistration#combine is a noop #26877

Comments

bertwin commented Apr 29, 2021

sbrannen commented Apr 29, 2021

`CorsRegistration#combine` is a noop #26877

`CorsRegistration#combine` is a noop #26877