Published on Jul 25, 2023

Enable Global CORS in Spring Boot

CORS stands for Cross-Origin Resource Sharing. It is an HTTP-header based mechanism that permits loading of restricted web resources of one domain from another domain.

In Spring Boot, you can configure CORS (Cross-Origin Resource Sharing) in several ways to control cross-origin requests from different domains. The following are two different approaches to configure CORS:

Global CORS Configuration

To apply Global CORS settings to all endpoints in your Spring Boot application, create a configuration class that implements WebMvcConfigurer and inside the configuration class, override the addCorsMappings method to configure global CORS settings:

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class GlobalCorsConfiguration implements WebMvcConfigurer {
  @Override
  public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**").allowedOrigins("*")
    .allowedMethods("GET", "POST", "PUT", "DELETE")
        .allowedHeaders("*");
  }
}

In this example, we have configured the application to grant access to all origins (*) for every endpoint. Additionally, we have authorized the usage of HTTP methods GET, POST, PUT, and DELETE, while permitting all headers in CORS requests.

You can customize the allowedOrigins, allowedMethods, and allowedHeaders to restrict access to specific origins or limit the allowed methods and headers.

The addition of @Configuration annotation to this configuration class, will automatically pick this class up and enable the Global CORS settings for your application.

Enabling CORS at the Method Level

We can enable CORS (Cross-Origin Resource Sharing) for specific controller methods in Spring Boot by using the @CrossOrigin annotation at the method level. This allows you to customize CORS settings for individual controller methods instead of applying them globally to the entire controller class.

Here's how to enable CORS in specific controller methods:

@RestController
@RequestMapping("/api")
public class MyController {

    @CrossOrigin(origins = {"http://example.com", "*"}, allowedHeaders = "*",
      methods = {RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT,RequestMethod.DELETE})
    @GetMapping("/data")
    public ResponseEntity<Data> getData() {
        // Method logic here
    }

    @CrossOrigin(origins = {"http://localhost:8080", "*"}, allowedHeaders = "*",
      methods = {RequestMethod.GET, RequestMethod.POST, RequestMethod.PUT,RequestMethod.DELETE})
    @PostMapping("/save")
    public ResponseEntity<String> saveData(@RequestBody Data data) {
        // Method logic here
    }

    // Other controller methods and logic...
}

By using @CrossOrigin at the method level, you can fine-tune the CORS settings for each specific controller method. This allows you to control access to the API endpoints on a per-method basis, providing flexibility and security as needed for your application.