Access-Control-Allow-Origin alwasy set to * in spring boot

Question

I am setting CORS using the following configurations, in spring boot, but the browser shows as if I am using * not the specified URL !

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(ImmutableList.of("http://localhost:4200"));
        configuration.setAllowedMethods(ImmutableList.of("HEAD",
                "GET", "POST", "PUT", "DELETE", "PATCH"));
        configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type", "Access-Control-Allow-Origin"));
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

Answer 1

1. The easier way support by spring boot is sets @CrossOrigin annotation on the controller.

Example:

@CrossOrigin("http://localhost:4200")

2. Of if you use spring security:

@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors().and()...
    }
}

And many ways to set cors, follow this article: https://www.baeldung.com/spring-cors

3. For global configuration:

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**") 
        .allowedOrigins("http://localhost:4200");
    }
}

Answer 2

After deploying the war on tomcat, It didn't show the *.

so maybe it is only when start from intellij