Use LinkedHashMap for CORS configurations in CorsGatewayFilterApplicationListener to preserve insertion order. Fixes GH-3805.

Signed-off-by: Yavor Chamov <[email protected]>

Author: yavor300

spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/filter/cors/CorsGatewayFilterApplicationListener.java

@@ -34,12 +34,34 @@
 import org.springframework.web.cors.CorsConfiguration;
 
 /**
- * This class updates Cors configuration each time a {@link RefreshRoutesResultEvent} is
- * consumed. The {@link Route}'s predicates are inspected for a
- * {@link PathRoutePredicateFactory} and the first pattern is used.
+ * <p>
+ * For each {@link Route}, this listener inspects its predicates and looks for an instance
+ * of {@link PathRoutePredicateFactory}. If a path predicate is found, the first defined
+ * path pattern is extracted and used as the key for associating the route-specific
+ * {@link CorsConfiguration}.
+ * </p>
+ *
+ * <p>
+ * After collecting all route-level CORS configurations, the listener merges them with
+ * globally defined configurations from {@link GlobalCorsProperties}, ensuring that
+ * route-specific configurations take precedence over global ones in case of conflicts
+ * (e.g., both defining CORS rules for {@code /**}).
+ * </p>
+ *
+ * <p>
+ * The merged configuration map is then applied to the
+ * {@link RoutePredicateHandlerMapping} via {@code setCorsConfigurations}.
+ * </p>
+ *
+ * <p>
+ * Note: A {@link LinkedHashMap} is used to store the merged configurations to preserve
+ * insertion order, which ensures predictable CORS resolution when multiple path patterns
+ * could match a request.
+ * </p>
  *
  * @author Fredrich Ombico
  * @author Abel Salgado Romero
+ * @author Yavor Chamov
  */
 public class CorsGatewayFilterApplicationListener implements ApplicationListener<RefreshRoutesResultEvent> {
 
@@ -69,12 +91,16 @@ public void onApplicationEvent(RefreshRoutesResultEvent event) {
 			routes.forEach(route -> {
 				Optional<CorsConfiguration> corsConfiguration = getCorsConfiguration(route);
 				corsConfiguration.ifPresent(configuration -> {
-					var pathPredicate = getPathPredicate(route);
+					String pathPredicate = getPathPredicate(route);
 					corsConfigurations.put(pathPredicate, configuration);
 				});
 			});
 
-			corsConfigurations.putAll(globalCorsProperties.getCorsConfigurations());
+			globalCorsProperties.getCorsConfigurations().forEach((path, config) -> {
+				if (!corsConfigurations.containsKey(path)) {
+					corsConfigurations.put(path, config);
+				}
+			});
 			routePredicateHandlerMapping.setCorsConfigurations(corsConfigurations);
 		});
 	}

spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/filter/cors/CorsGatewayFilterApplicationListenerTests.java

@@ -46,18 +46,21 @@
 /**
  * Tests for {@link CorsGatewayFilterApplicationListener}.
  *
- * <p>This test verifies that the merged CORS configurations - composed of per-route metadata
- * and at the global level - maintain insertion order, as defined by the use of {@link LinkedHashMap}.
- * Preserving insertion order helps for predictable and deterministic CORS behavior
- * when resolving multiple matching path patterns.
+ * <p>
+ * This test verifies that the merged CORS configurations - composed of per-route metadata
+ * and at the global level - maintain insertion order, as defined by the use of
+ * {@link LinkedHashMap}. Preserving insertion order helps for predictable and
+ * deterministic CORS behavior when resolving multiple matching path patterns.
  * </p>
  *
- * <p>The test builds actual {@link Route} instances with {@code Path} predicates and verifies
- * that the resulting configuration map passed to {@link RoutePredicateHandlerMapping#setCorsConfigurations(Map)}
- * respects the declared order of:
+ * <p>
+ * The test builds actual {@link Route} instances with {@code Path} predicates and
+ * verifies that the resulting configuration map passed to
+ * {@link RoutePredicateHandlerMapping#setCorsConfigurations(Map)} respects the declared
+ * order of:
  * <ul>
- *   <li>Route-specific CORS configurations (in the order the routes are discovered)</li>
- *   <li>Global CORS configurations (in insertion order)</li>
+ * <li>Route-specific CORS configurations (in the order the routes are discovered)</li>
+ * <li>Global CORS configurations (in insertion order)</li>
  * </ul>
  * </p>
  *
@@ -67,17 +70,29 @@
 class CorsGatewayFilterApplicationListenerTests {
 
 	private static final String GLOBAL_PATH_1 = "/global1";
+
 	private static final String GLOBAL_PATH_2 = "/global2";
+
 	private static final String ROUTE_PATH_1 = "/route1";
+
 	private static final String ROUTE_PATH_2 = "/route2";
+
 	private static final String ORIGIN_GLOBAL_1 = "https://global1.com";
+
 	private static final String ORIGIN_GLOBAL_2 = "https://global2.com";
+
 	private static final String ORIGIN_ROUTE_1 = "https://route1.com";
+
 	private static final String ORIGIN_ROUTE_2 = "https://route2.com";
+
 	private static final String ROUTE_ID_1 = "route1";
+
 	private static final String ROUTE_ID_2 = "route2";
+
 	private static final String ROUTE_URI = "https://spring.io";
+
 	private static final String METADATA_KEY = "cors";
+
 	private static final String ALLOWED_ORIGINS_KEY = "allowedOrigins";
 
 	@Mock
@@ -96,8 +111,7 @@ class CorsGatewayFilterApplicationListenerTests {
 	@BeforeEach
 	void setUp() {
 		globalCorsProperties = new GlobalCorsProperties();
-		listener = new CorsGatewayFilterApplicationListener(globalCorsProperties,
-				handlerMapping, routeLocator);
+		listener = new CorsGatewayFilterApplicationListener(globalCorsProperties, handlerMapping, routeLocator);
 	}
 
 	@Test
@@ -118,16 +132,14 @@ void testOnApplicationEvent_preservesInsertionOrder_withRealRoutes() {
 			verify(handlerMapping).setCorsConfigurations(corsConfigurations.capture());
 
 			Map<String, CorsConfiguration> mergedCorsConfigurations = corsConfigurations.getValue();
-			assertThat(mergedCorsConfigurations.keySet())
-					.containsExactly(ROUTE_PATH_1, ROUTE_PATH_2, GLOBAL_PATH_1, GLOBAL_PATH_2);
+			assertThat(mergedCorsConfigurations.keySet()).containsExactly(ROUTE_PATH_1, ROUTE_PATH_2, GLOBAL_PATH_1,
+					GLOBAL_PATH_2);
 			assertThat(mergedCorsConfigurations.get(GLOBAL_PATH_1).getAllowedOrigins())
-					.containsExactly(ORIGIN_GLOBAL_1);
+				.containsExactly(ORIGIN_GLOBAL_1);
 			assertThat(mergedCorsConfigurations.get(GLOBAL_PATH_2).getAllowedOrigins())
-					.containsExactly(ORIGIN_GLOBAL_2);
-			assertThat(mergedCorsConfigurations.get(ROUTE_PATH_1).getAllowedOrigins())
-					.containsExactly(ORIGIN_ROUTE_1);
-			assertThat(mergedCorsConfigurations.get(ROUTE_PATH_2).getAllowedOrigins())
-					.containsExactly(ORIGIN_ROUTE_2);
+				.containsExactly(ORIGIN_GLOBAL_2);
+			assertThat(mergedCorsConfigurations.get(ROUTE_PATH_1).getAllowedOrigins()).containsExactly(ORIGIN_ROUTE_1);
+			assertThat(mergedCorsConfigurations.get(ROUTE_PATH_2).getAllowedOrigins()).containsExactly(ORIGIN_ROUTE_2);
 		});
 	}
 
@@ -141,12 +153,11 @@ private CorsConfiguration createCorsConfig(String origin) {
 	private Route buildRoute(String id, String path, String allowedOrigin) {
 
 		return Route.async()
-				.id(id)
-				.uri(ROUTE_URI)
-				.predicate(new PathRoutePredicateFactory()
-						.apply(config -> config.setPatterns(List.of(path))))
-				.metadata(METADATA_KEY, Map.of(ALLOWED_ORIGINS_KEY, List.of(allowedOrigin)))
-				.build();
+			.id(id)
+			.uri(ROUTE_URI)
+			.predicate(new PathRoutePredicateFactory().apply(config -> config.setPatterns(List.of(path))))
+			.metadata(METADATA_KEY, Map.of(ALLOWED_ORIGINS_KEY, List.of(allowedOrigin)))
+			.build();
 	}
 
 }