fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource

- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.

Author: baezzys

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,14 +47,15 @@
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
-import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
 /**
  * {@link Configuration} that exposes the {@link HttpSecurity} bean.
  *
  * @author Eleftheria Stein
+ * @author Jinwoo Bae
  * @since 5.4
  */
 @Configuration(proxyBeanMethods = false)
@@ -131,8 +132,7 @@ HttpSecurity httpSecurity() throws Exception {
 	}
 
 	private void applyCorsIfAvailable(HttpSecurity http) throws Exception {
-		String[] beanNames = this.context.getBeanNamesForType(CorsConfigurationSource.class);
-		if (beanNames.length == 1) {
+		if (this.context.getBeanNamesForType(UrlBasedCorsConfigurationSource.class).length > 0) {
 			http.cors(withDefaults());
 		}
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -362,7 +362,7 @@ public void disableConfigurerWhenAppliedByAnotherConfigurerThenNotApplied() {
 	}
 
 	@Test
-	public void configureWhenCorsConfigurationSourceThenApplyCors() {
+	public void configureWhenCorsConfigurationSourceThenApplyCors() throws Exception {
 		this.spring.register(CorsConfigurationSourceConfig.class, DefaultWithFilterChainConfig.class).autowire();
 		SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
 		CorsFilter corsFilter = (CorsFilter) filterChain.getFilters()
@@ -374,6 +374,16 @@ public void configureWhenCorsConfigurationSourceThenApplyCors() {
 		assertThat(configSource).isInstanceOf(UrlBasedCorsConfigurationSource.class);
 	}
 
+	// gh-15378
+	@Test
+	public void configureWhenNoUrlBasedCorsConfigThenNoCorsAppliedAndVaryHeaderNotPresent() throws Exception {
+		this.spring.register(NonUrlBasedCorsConfig.class, DefaultWithFilterChainConfig.class).autowire();
+		SecurityFilterChain filterChain = this.spring.getContext().getBean(SecurityFilterChain.class);
+		assertThat(filterChain.getFilters()).noneMatch((filter) -> filter instanceof CorsFilter);
+
+		this.mockMvc.perform(get("/")).andExpect(header().doesNotExist("Vary"));
+	}
+
 	@Test
 	public void configureWhenAddingCustomDslUsingWithThenApplied() throws Exception {
 		this.spring.register(WithCustomDslConfig.class, UserDetailsConfig.class).autowire();
@@ -673,6 +683,33 @@ CorsConfigurationSource corsConfigurationSource() {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class NonUrlBasedCorsConfig {
+
+		@Bean
+		CorsConfigurationSource corsConfigurationSource() {
+			return new CustomCorsConfigurationSource();
+		}
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			return http.build();
+		}
+
+	}
+
+	static class CustomCorsConfigurationSource implements CorsConfigurationSource {
+
+		@Override
+		public CorsConfiguration getCorsConfiguration(HttpServletRequest request) {
+			CorsConfiguration configuration = new CorsConfiguration();
+			configuration.setAllowedOrigins(List.of("http://localhost:8080"));
+			return configuration;
+		}
+
+	}
+
 	static class DefaultConfigurer extends AbstractHttpConfigurer<DefaultConfigurer, HttpSecurity> {
 
 		boolean init;

docs/modules/ROOT/pages/servlet/integrations/cors.adoc

@@ -6,7 +6,7 @@ CORS must be processed before Spring Security, because the pre-flight request do
 If the request does not contain any cookies and Spring Security is first, the request determines that the user is not authenticated (since there are no cookies in the request) and rejects it.
 
 The easiest way to ensure that CORS is handled first is to use the `CorsFilter`.
-Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`.
+Users can integrate the `CorsFilter` with Spring Security by providing a `CorsConfigurationSource`. Note that Spring Security will automatically configure CORS only if a `UrlBasedCorsConfigurationSource` instance is present.
 For example, the following will integrate CORS support within Spring Security:
 
 [tabs]