10 CORS support - Reference Documentation

Authors: Alvaro Sanchez-Mariscal

Version: 1.5.0.RC3

10 CORS support

This plugin comes pre-installed with the CORS plugin, which enables Cross-Origin Resource Sharing. Refer to the plugin documentation to learn how to configure it.

The CORS plugin activates itself by default. If you don't want it for some environments, you can use cors.enabled = false within the appropriate environment block in your Config.groovy.

If you don't want CORS support at all, you can skip the plugin by excluding it when defining this plugin in your BuildConfig.groovy:

compile ':spring-security-rest:1.5.0.RC3', {
    exclude 'cors
}

Note that you have to explicitly expose the headers you are using for token validation. Otherwise, the frontend application won't be allowed to read them:

cors.headers = ['Access-Control-Allow-Headers': 'Content-Type, Authorization']

Be also aware of the default behaviour of the CORS plugin for Access-Control-Allow-Origin is to just echo the Origin header sent by the browser. Make sure that in your production environment you properly configure the header.

<< 9Token Validation Filter

11Delegating authentication to OAuth providers >>