Securing Spring Boot REST API – CORS


Sharing is caring!

Introduction

In today’s IT architecture world, most of the web applications are invoking REST API to interact with backend system. So if you have experiences on developing a web application using Javascript, or XHR precisely, and you are dealing with REST API in the backend, most likely you will find something call Cross Origin Resource Sharing or CORS.

CORS

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated.¹

Basically, whenever you make an HTTP request, browsers will allow your request within the same origin or host. Let say your script in domain www.ru-rocker.com and your REST API is located in the same host, you will find no issue when invoking the API.

However, whenever you try to access REST API from different host, most likely your browser will make a pre-flight request to validate whenever your scripts are allowed to make cross-domain request.

The Cross-Origin Resource Sharing (CORS) mechanism gives web servers cross-domain access controls, which enable secure cross-domain data transfers.²

Use Case

I will implement REST API with two different context paths. First context is /api/ , which allows all cross-origin request. The second one is /api-cors/, which allows request from domain www.ru-rocker.com.

For these use cases, I will implement using Spring Boot Starter Web. All the source code for this how-to are available on my github.

Setup Spring with CORS

Spring Boot Starter Web

Basically, spring-boot-starter-web comes with allow all origin (HTTP headers: Access-Control-Allow-Origin: *). But it is not good because we need to restrict only specific host that are allowed to access our API. Therefore we need to add another configuration to restrict domain access.

Configuration

Since spring-boot-starter-web allows all origin, therefore the first use case is automatically solve by itself. You can see in the CustomerController class for more details.

The other one is for the second use case. The controller class for this sample is OtherCustomerController class. You will see no difference in configuration between CustomerController and OtherCustomerController, unless the RequestMapping annotation. This annotation will determine our configuration in the CORS Configuration class. Remember, our purpose is to allow /api-cors/ path accessible only from http://www.ru-rocker.com origin.

CorsConfig

To apply global CORS Configuration for our REST API, we create a WebMvcConfigurer bean and put our CORS configuration under addCorsMapping method.

Note: you can use @CrossOrigin(origins = "http://www.ru-rocker.com") in each controller. However, it is better to apply in a global configuration.

Testing

Start the REST API by running main method under SpringSecurityDemoApplication class. Then try the API by using REST console tools, such as Postman or SOAP UI.

Origin value does not have an impact on request with /api/ path because we allow all origins
Request is blocked due to Origin is not from www.ru-rocker.com
CORS from http://www.ru-rocker.com
Request is allowed because the origin is coming from www.ru-rocker.com

Conclusion

Now we can protect your API by white listing domain that control access to external domain. And by using Spring, the set up is very simple because all you need is three lines only. Just remember to configure the domain origin whenever you are developing REST API in order to make your API more secure.

Have a blessed day and happy new year!

Author: ru rocker

I am a professional software developer with more than 10 years experiences. I am a certified Java Developer (SCJP and SCWCD). However, In the recent months, I have more interest in DevOps and start to become a polyglot developer. Python and Go-lang become my favorite programming languages besides Java.

Leave a Reply

Your email address will not be published. Required fields are marked *