How to set dynamic Access-Control-Allow-Origin based on Origin HTTP request header in Spring Framework 4.2/Boot 1.3?

Question

Spring 4.2 has CORS support, however allowed Origin(s) must be set manually. Which is problematic when combined with authentication, because authentication not supported with Access-Control-Allow-Origin: *.

How to set this automatically? Very useful for Ionic/Cordova clients.

i.e. if client sends Origin: assets-library://whatever/ then server will send Access-Control-Allow-Origin: assets-library://whatever/

Feature request: https://jira.spring.io/browse/SPR-13511

I answered you in the comments of the JIRA issue, this should be already supported. — Sébastien Deleuze, Sep 26 '15 at 15:03

score 1 · Answer 1 · edited May 23 '17 at 12:34

1

By "default" of Spring Boot, Spring 4.2 does support my described scenario when using @CrossOrigin or addCorsMappings().

What's not default, is by using Sébastien's technique described here (I've since updated the answer). Care must be taken to:

config.setAllowCredentials(true);

because the real default of CorsConfiguration is it's null which is treated as false.

edited May 23 '17 at 12:34

Community

1
1

answered Sep 26 '15 at 15:54

Hendy Irawan

20,498
11
103
114

How to set dynamic Access-Control-Allow-Origin based on Origin HTTP request header in Spring Framework 4.2/Boot 1.3?

1 Answers1