The MVC config continues to expose a HandlerMappingIntrospector bean, which implements CorsConfigurationSource and PreFlightRequestHandler.
Spring Security 7 only needs a PreFlightRequestHandler, and no longer depends on using HandlerMappingIntrospector directly.
We need to switch to a PreFlightRequestHandler bean, which would be transparent to Spring Security, but it would impact anyone who picks it up as CorsConfigurationSource. This was never an intended way of using HandlerMappingIntrospector, but rather a side effect. It needs to be discontinued at some point.
Unfortunately there is no deprecation path, and it will break some apps, but it would be easy for an application to redeclare it, also explicitly opting into the use of a deprecated class. The isolated use of HandlerMappingIntrospector for CORS only also leads to the cache miss warnings in #36309.
The MVC config continues to expose a
HandlerMappingIntrospectorbean, which implementsCorsConfigurationSourceandPreFlightRequestHandler.Spring Security 7 only needs a
PreFlightRequestHandler, and no longer depends on usingHandlerMappingIntrospectordirectly.We need to switch to a
PreFlightRequestHandlerbean, which would be transparent to Spring Security, but it would impact anyone who picks it up asCorsConfigurationSource. This was never an intended way of usingHandlerMappingIntrospector, but rather a side effect. It needs to be discontinued at some point.Unfortunately there is no deprecation path, and it will break some apps, but it would be easy for an application to redeclare it, also explicitly opting into the use of a deprecated class. The isolated use of
HandlerMappingIntrospectorfor CORS only also leads to the cache miss warnings in #36309.