CORS errors in Spring Boot: difference between MVC config and Spring Security

Configuring CORS via WebMvcConfigurer works for endpoints not protected by Spring Security, but CORS preflight OPTIONS requests to secured endpoints return 401 or 403 before the CORS headers are added, causing the browser to block the request.

Configure CORS at the Spring Security level so it fires before authentication:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .cors(cors -> cors.configurationSource(corsConfigurationSource()))
        // ... rest of config
    return http.build();
}

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowedOrigins(List.of("https://app.example.com"));
    config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
    config.setAllowedHeaders(List.of("*"));
    config.setAllowCredentials(true);
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", config);
    return source;
}

Alternatively, use @CrossOrigin on individual controllers for simpler cases without security.

Spring Security's filter chain runs before Spring MVC. CORS preflight OPTIONS requests are intercepted and rejected by the security filter before the MVC CORS configuration can add the required response headers.