How to Fix CORS Issues After Upgrading to Spring Boot 2.5.x

Cross‑origin resource sharing (CORS) occurs when a request’s protocol, domain, or port differs from the page’s URL, and browsers block such requests due to the same‑origin policy, a fundamental security mechanism.

Why CORS Happens

The same‑origin policy prevents JavaScript from one origin from interacting with resources from another, protecting browsers from malicious cross‑site interactions.

Old Solution for Spring Boot 2.1.8

In Spring Boot 2.1.8 the common fix is to create a @Configuration class that registers a CorsFilter bean, allowing all origins, methods, and headers:

@Configuration
public class GlobalCorsConfig {
    @Bean
    public CorsFilter corsFilter() {
        CorsConfiguration config = new CorsConfiguration();
        config.addAllowedOrigin("*");
        config.setAllowCredentials(true);
        config.addAllowedMethod("*");
        config.addAllowedHeader("*");
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }
}

New Issue in Spring Boot 2.5.6

After upgrading to 2.5.6 the above filter no longer resolves CORS problems because the framework’s handling of CORS has changed.

Official Solution for Spring Boot 2.5.x

The documentation recommends adding a WebMvcConfigurer bean that configures CORS mappings with allowedOriginPatterns("*") and enables credentials:

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurer() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/**").allowCredentials(true).allowedOriginPatterns("*");
        }
    };
}

Adding this bean under the application’s main class eliminates the CORS errors introduced by the upgrade.

Once the new configuration is in place, cross‑origin requests succeed, confirming the fix.