Thursday, June 9, 2016

Spring boot - is it possible to have Global Cors Configuration using only

No, not for Spring Boot 1.3.1.RELEASE at least.

I have a Spring Boot backend application, and an AngularJS front-end application; they run on application servers on different ports (front end on port 3000, backend on port 8443). Because of this, the spring boot application needed to support CORS.

I originally had the application set up with Global CORS configuration, similar to the following.  All REST endpoints, HTTP GET/PUT/POST supported, with localhost port 3000 as the allowed Origin.

public class CherryShoeApplication {
    public static void main(String[] args) {, args);
     * Since spring boot 1.3, Global CORS configuration can be defined by registering 
     * a WebMvcConfigurer bean with a customized addCorsMappings(CorsRegistry) method
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurerAdapter() {
            public void addCorsMappings(CorsRegistry registry) {
                .allowedMethods("GET", "PUT", "POST")

Needed to update the WebSecurityConfig to allow all HTTP OPTIONS through.  Spring Security pre-authorization was used to protect the application, in this particular example.

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() // allow CORS OPTIONS calls through

I wanted to move Global CORS configuration out of the Java Config and into, so it'd be easier to update without a code update.

The same Java Config above (public WebMvcConfigurer corsConfigurer()) is now configured as the following in

# Set whether credentials are supported. When not set, credentials are not supported.
# Comma-separated list of headers to allow in a request. '*' allows all headers.
# Comma-separated list of methods to allow. '*' allows all methods.
# Comma-separated list of origins to allow. '*' allows all origins. When not set, CORS support is disabled.
# Comma-separated list of extra headers to include in a response, these get exposed by default 
# Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
# How long, in seconds, the response from a pre-flight request can be cached by clients. 

Key takeaway:
There was no way to do a global cors configuration via essentially an "empty" WebMvcConfigurer corsConfigurer (In other words, completely removing the WebMvcConfigurer corsConfigurer @Bean/method), and then use only the to configure it.  To get the cors parameters recognized, the @CrossOrigin annotation also needs to be added to each controller. I decided to create a base class and have each controller extend it, so it'd be easier to maintain in the future.

 * Base class so all controllers can extend this class to inherit the @CrossOrigin annotation
public class CrossOriginController {
    // empty, just need the CrossOrigin annotation

If you know of any other way to do a global cors configuration using application.propeties cors parameters, please let me know!


  1. You did point out one item that I found interesting: I hadn't found anything that said that the @CrossOrigin notation was required for the to take effect. I did notice that I could just add the notation, with nothing in the properties file and everything worked. And, if I didn't use the notation, and only used the properties file, the user did receive CORS errors.

    1. The development of artificial intelligence (AI) has propelled more programming architects, information scientists, and different experts to investigate the plausibility of a vocation in machine learning. Notwithstanding, a few newcomers will in general spotlight a lot on hypothesis and insufficient on commonsense application. machine learning projects for final year In case you will succeed, you have to begin building machine learning projects in the near future.

      Projects assist you with improving your applied ML skills rapidly while allowing you to investigate an intriguing point. Furthermore, you can include projects into your portfolio, making it simpler to get a vocation, discover cool profession openings, and Final Year Project Centers in Chennai even arrange a more significant compensation.

      Data analytics is the study of dissecting crude data so as to make decisions about that data. Data analytics advances and procedures are generally utilized in business ventures to empower associations to settle on progressively Python Training in Chennai educated business choices. In the present worldwide commercial center, it isn't sufficient to assemble data and do the math; you should realize how to apply that data to genuine situations such that will affect conduct. In the program you will initially gain proficiency with the specialized skills, including R and Python dialects most usually utilized in data analytics programming and usage; Python Training in Chennai at that point center around the commonsense application, in view of genuine business issues in a scope of industry segments, for example, wellbeing, promoting and account.

      The Nodejs Projects Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. refer here:

    springboot support 2 properties for CORS support:


    1. Key point for this article was:

      There was no way to do a global cors configuration via essentially an "empty" WebMvcConfigurer corsConfigurer, and then use the to configure it. To get the cors parameters recognized, the @CrossOrigin annotation needs to be added to each controller. I decided to create a base class and have each controller extend it, so it'd be easier to maintain in the fugure.

  3. Expected to form you a next to no word to thank you once more with respect to the decent recommendations you've contributed here. Those guidelines additionally worked to become a good way to recognize that other people online have the identical fervor like mine to grasp great deal more around this condition. We are providing AngularJs training in velachry.
    For more details: AngularJs training in velachery

  4. I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. Affinity at serangoon price


I appreciate your time in leaving a comment!