0

I have a server application:

@RestController
@SpringBootApplication
public class ServerApplication {
    
    @GetMapping("/data")
    public ResponseEntity<String> getData() {
        return ResponseEntity.ok("Some Data.");
    }

    public static void main(String[] args) {
        SpringApplication.run(ServerApplication.class, args);
    }

}

and a client application:

@RestController
@SpringBootApplication
public class ClientApplication {
    
    RestTemplate restTemplate = new RestTemplate();
    
    @GetMapping("/test")
    public ResponseEntity<String> test(){
        ResponseEntity<String> response = restTemplate.getForEntity("http://localhost:8023/data", String.class);
        return ResponseEntity.ok("Received: " + response.getBody());
    }

    public static void main(String[] args) {
        SpringApplication.run(ClientApplication.class, args);
    }

}

both have the exact same security config (Spring security enabled):

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/**")
            .permitAll();
    }

}

I expected this restTemplate call to fail, since i didnt activate CORS with @CrossOrigin or any other method. But this works perfectly fine. When i search for similar problems, i only ever find questions about why a enpoint CANT be reached, and not about why it CAN be reached.

Both applications share the same dependencies:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

2 Answers2

1

Please note that CORS is only applicable to requests made from the browser. As you query your service using RestTemplate from another service, you don't need to worry about CORS or any related restrictions.

Please also review CORS - Is it a client-side thing, a server-side thing, or a transport level thing? which provides more details on how CORS works.

Gregor Zurowski
  • 2,222
  • 2
  • 9
  • 15
  • Thank you - but shouldnt my server-application block requests from other origins anyways? –  Aug 11 '21 at 10:12
  • 1
    By default, Spring boot apps don't block requests. If you want to block requests from all origins except a few, you need to whitelist them. Check the guide at [Enabling Cross Origin Requests for a RESTful Web Service](https://spring.io/guides/gs/rest-service-cors/#global-cors-configuration) for more info about enabling it. – Debargha Roy Aug 11 '21 at 10:17
  • Maybe this is a big misunderstanding on my part, but ive seen multiple posts and tutorials how to enable Cross Origin since it was completely disabled as a default See the accepted answer here: https://stackoverflow.com/questions/58126723/how-to-allow-crossorigin-from-all-domains Why would i need to enable it with @CrossOrigin("*") when spring boot doesnt block them? –  Aug 11 '21 at 10:22
  • 1
    Your Spring Boot service will not block any requests by default. CORS is a mechanism that will block cross domain requests when made from the browser. In order to allow that, the server application needs to add CORS headers to manage and potentially allow those requests. But as initially mentioned, this does only apply to requests made from the browser. It does not apply to service to service requests or even `curl` requests made from another machine. – Gregor Zurowski Aug 11 '21 at 10:25
  • Okay - thanks so far. When i want my service to only allow calls of a specific origin regardless of what it is (browser/service/curl/whatever) - what do i need to look for? –  Aug 11 '21 at 10:37
  • In order to block access to your service, e.g. based on IP addresses, header values, or authentication tokens, you should look into [Spring Security](https://spring.io/projects/spring-security). – Gregor Zurowski Aug 11 '21 at 10:50
0

As said in this post Spring RestTemplate call to API worked but jQuery failed because same-origin policy

Same-origin policy is applied on web browser. https://en.wikipedia.org/wiki/Same-origin_policy.

The @CrossOrigin annotation simply add the required headers to the response so the browser doesn't throw the CORS exception.

I cannot comment, but no, your application server, doesn't block calls from others origin (By default)

xTheDoctah
  • 276
  • 1
  • 11