Spring Data Rest and Cors

Indeed, before Spring Data REST 2.6 (Ingalls) only HandlerMapping instances created by Spring MVC WebMvcConfigurationSupport and controllers annotated with @CrossOrigin were CORS aware.

But now that DATAREST-573 has been fixed, RepositoryRestConfiguration now exposes a getCorsRegistry() for global setup and @CrossOrigin annotations on repositories are also recognized so this is the recommended approach. See https://stackoverflow.com/a/42403956/1092077 answer for concrete examples.

For people that have to stick to Spring Data REST 2.5 (Hopper) or previous versions, I think the best solution is to use a filter based approach. You could obviously use Tomcat, Jetty or this one, but be aware that Spring Framework 4.2 also provides a CorsFilter that use the same CORS processing logic that @CrossOrigin and addCorsMappings(CorsRegistry registry) approaches. By passing an UrlBasedCorsConfigurationSource instance to the CorsFilter constructor parameter, you could easily get something as powerful as Spring native CORS global support.

If you are using Spring Boot (which supports Filter beans), it could be something like:

@Configuration
public class RestConfiguration {

    @Bean
    public FilterRegistrationBean corsFilter() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
        source.registerCorsConfiguration("/**", config);
        FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
        bean.setOrder(0);
        return bean;
    }
}

Since the Ingalls train has been realised, the support of CORS in Spring Data is now on. There are two ways to deal with:

1. The @CrossOrigin annotation with specifying origins, methods, and allowedHeaders over a @RepositoryRestResource interface.

   @CrossOrigin(...)
   @RepositoryRestResource
   public interface PageRepository extends CrudRepository<Page, Long> { ... }
   

2. A global configuration with the RepositoryRestConfiguration inside a @Configuration class. Marking repositories by the @CrossOrigin is not necessary then.

   @Configuration
   public class GlobalRepositoryRestConfigurer extends RepositoryRestConfigurerAdapter {
   
       @Override
       public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
           config.getCorsRegistry()
                     .addMapping(CORS_BASE_PATTERN)
                     .allowedOrigins(ALLOWED_ORIGINS)
                     .allowedHeaders(ALLOWED_HEADERS)
                     .allowedMethods(ALLOWED_METHODS);
        }
   
   }