Actuator doesn't use the CORS Configuration with default security configuration and Spring MVC

[mbhave]

If Spring Security can add this as a default, we don't need to do anything. If Spring Security doesn't make this a default, we need to see how this can be done. Adding http.cors() here wouldn't work for Jersey because there is no CorsFilter or CorsConfigurationSource

[michael-simons]

@wilkinsona pointed me at this ticket. I'm about to write some config for exactly having that feature with Actuator on Jersey.

Regarding Spring Security: Wouldn't that tangle Actuator and Security again?

[mbhave]

If Spring Security added it as a default, Spring Boot wouldn't need to add anything extra and it would just rely on Spring Security's defaults. It wouldn't tangle Actuator and Security because there would be no actuator specific configuration in Spring Boot's security auto-config.

[mbhave]

See #9548.

[mbhave]

Unblocking this as we have a separate configuration for the management endpoints now in order to expose health and info. So even if Spring Security adds it as a default we would need to call .cors() in the management security auto-configuration.