How to allow CrossOrigin from all domains?

Question

Is there anyway to make this end point allow request from anywhere?

I've tried like but none of them worked.

@CrossOrigin(origins = "")
@CrossOrigin(origins = "http://")

@CrossOrigin(origins = "http://localhost:3001")
@GetMapping(path="/transactions")
public @ResponseBody List<RealEstateTransaction> getTransactions() {
    return realEstateTransactionService.findTargets();
}

Answer 1

While working with cross domains, most of the time we tend to worry about what & where it went wrong. There are many factors including security, web components, sockets, etc to be handled at the server side before a request is processed. Many ways to implement the CORS in the Spring Boot application.

1. Annotation

By implementing @CrossOrigin like what you did in the Main class. Also can be done by adding @CrossOrigin to specific controllers/methods, if particular API should be accessed only from specific domain.

@CrossOrigin("*") // to allow from all domains
@CrossOrigin("http://localhost:3001") // to allow from specific domain
@CrossOrigin(origins = "http://localhost:3001")

2. WebConfig

If Spring Application is MVC where the resources could be accessed. Simply add the CORS mappings by overriding WebMvcConfigurer's addCorsMappings function.

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**").allowedOrigins("*").allowedHeaders("*");
    }
}

3. SecurityConfig

When security is enabled in the application then CORS must be implementated in the SecurityConfig. Registering the CORS filter can be done in many ways. One is adding UrlBasedCorsConfigurationSource to the http.cors() function. Another is to create CustomCorsFilter by extending the CorsFilter.

public class CustomCorsFilter extends CorsFilter {

    public CustomCorsFilter() {
        super(configurationSource());
    }
    
    public static UrlBasedCorsConfigurationSource configurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowCredentials(true);
        configuration.addAllowedOrigin("*");
        configuration.addAllowedHeader("*");
        configuration.setMaxAge(3600L);
    
        UrlBasedCorsConfigurationSource corsConfigurationSource = new UrlBasedCorsConfigurationSource();
        corsConfigurationSource.registerCorsConfiguration("/**", configuration);
        
        return corsConfigurationSource;
    }
}

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        String[] paths = {"/auth/**", "/env"};
        
        //http.cors().configurationSource(CustomCorsFilter.configurationSource()); // Option 1

        http
            .csrf().disable()
            .exceptionHandling()
            .authenticationEntryPoint(this.authenticationEntryPoint)
        .and()
            .authorizeRequests()
            .antMatchers(paths)
            .permitAll()
        .and()
            .authorizeRequests()
            .antMatchers("/**")
            .authenticated()
        .and()
            .addFilterBefore(new CustomCorsFilter(), UsernamePasswordAuthenticationFilter.class); //option 2
}