Skip to content

Clarify behavior when multiple CorsConfigurationSource beans are present #18584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mjkang4416 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Clarify behavior when multiple CorsConfigurationSource beans are present #18584

mjkang4416 wants to merge 1 commit into from

Conversation

@mjkang4416
Copy link

@mjkang4416 mjkang4416 commented Jan 25, 2026

Motivation

When more than one CorsConfigurationSource bean is present in the application context,
Spring Security fails to start with an ambiguous bean definition error.

From a user’s perspective, this is confusing because a custom
CorsConfigurationSource bean may already be defined, yet Spring Security
does not indicate which one it expects to use.

The current CORS section of the reference documentation does not describe
what happens when multiple CorsConfigurationSource beans are present.

Changes in this PR

This PR updates the CORS section of the Spring Security reference documentation to:

  • Clarify that Spring Security does not automatically select one
    CorsConfigurationSource when multiple candidates are available.
  • Explain that users must explicitly specify which bean should be used.
  • Show common ways to do this using @Qualifier, @Primary, or the .cors() DSL.

Related Issue

Fixes #18583

@mjkang4416
Clarify behavior with multiple CorsConfigurationSource beans
28cffe5 
Document that Spring Security does not automatically select a
CorsConfigurationSource when multiple candidates are present and
that users must explicitly configure which one to use.

Signed-off-by: 강민정 <[email protected]>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document behavior when multiple CorsConfigurationSource beans are present

2 participants

@mjkang4416 @spring-projects-issues