Actuator doesn't use the CORS Configuration with default security config

[ptahchiev]

The actuator endpoints don't seem to respect the cors configuration with spring security default configuration. So as per @dsyer suggestion on the gitter channel I'm opening this issue for further investigation.
Steps to reproduce:

• Generate project from http://start.spring.io with web, security and actuators
• Make a test to perform OPTIONS request against /env and expect return status is 200. What is actually returned is 401.

Here's a sample project to reproduce the problem: https://github.com/ptahchiev/boot-cors-problem

[dsyer]

A workaround is to use a custom security config, e.g.

@SpringBootApplication
public class ActuatorcorsApplication extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.httpBasic().and().cors();
	}

	public static void main(String[] args) {
		SpringApplication.run(ActuatorcorsApplication.class, args);
	}
}

I think the ManagementWebSecurityAutoConfiguration needs to apply the cors configuration from the EndpointHandlerMapping (probably the same thing would work). The test is useful, thank you, @ptahchiev.

[ptahchiev]

Any chance to have this backported to 1.5.x too?

[wilkinsona]

Let's see what the fix looks like, but it feels like something that would be reasonable to include in 1.5.x

[ptahchiev]

The fix is pretty straight-forward and I think it can be backported to 1.5.x

[wilkinsona]

@ptahchiev It's already there