Differentiate same-origin and cross-origin use cases

Closes gh-38

README.adoc

@@ -246,10 +246,10 @@ attributes:
 * `allowCredentials`
 * `maxAge`.
 
-In this example, we allow only `http://localhost:8080` to send cross-origin requests.
+In this example, we allow only `http://localhost:9000` to send cross-origin requests.
 
 NOTE: You can also add the `@CrossOrigin` annotation at the controller class level as
-well, to enable  CORS on all handler methods of this class.
+well, to enable CORS on all handler methods of this class.
 
 [[global-cors-configuration]]
 === Global CORS configuration
@@ -391,58 +391,60 @@ include::complete/public/index.html[]
 ----
 ====
 
-To start the client running on localhost at port 8080,
-run the following Maven command:
+To test the CORS behaviour, you need to start the client from another server or port.
+Doing so not only avoids a collision between the two applications, but also ensures that the client code is served from a
+different origin than the service.
+
+To start the client running on localhost at port 9000, keep the application running at port 8080 and
+run the following Maven command in another terminal:
 
 ====
 [source,bash]
 ----
-./mvnw spring-boot:run
+./mvnw spring-boot:run -Dspring-boot.run.jvmArguments='-Dserver.port=9000'
 ----
 ====
 
 If you use Gradle, you can use this command:
 ====
 [source,text]
 ----
-./gradlew bootRun
+./gradlew bootRun --args="--server.port=9000"
 ----
 ====
 
-Once the app starts, open http://localhost:8080 in your browser, where you should see
-the following:
+Once the app starts, open http://localhost:9000 in your browser, where you should see
+the following because the service response includes the relevant CORS headers, so the ID and content are rendered into
+the page:
 
-image::{images}/hello.png[The browser will fail the request if the CORS headers are missing from the response. No data will be rendered into the DOM.]
+image::{images}/hello.png[Model data retrieved from the REST service is rendered into the DOM if the proper CORS headers are in the response.]
 
-To test the CORS behaviour, you need to start the client from another server or port.
-Doing so not only avoids a collision
-between the two applications but also ensures that the client code is served from a
-different origin than the service. To start the app running on localhost at port 9000 (as well as the one that is already running on port 8080),
-run the following Maven command:
+Now, stop the application running at port 9000, keep the application running at port 8080 and run the following Maven
+command in another terminal:
 
 ====
 [source,bash]
 ----
-./mvnw spring-boot:run -Dserver.port=9000
+./mvnw spring-boot:run -Dspring-boot.run.jvmArguments='-Dserver.port=9001'
 ----
 ====
 
 If you use Gradle, you can use this command:
 ====
 [source,text]
 ----
-./gradlew bootRun --args="--server.port=9000"
+./gradlew bootRun --args="--server.port=9001"
 ----
 ====
 
-Once the app starts, open http://localhost:9000 in your browser, where you should see
+Once the app starts, open http://localhost:9001 in your browser, where you should see
 the following:
 
-image::{images}/hello_fail.png[Model data retrieved from the REST service is rendered into the DOM if the proper CORS headers are in the response.]
+image::{images}/hello_fail.png[The browser will fail the request if the CORS headers are missing (or insufficient for theclient) from the response. No data will be rendered into the DOM.]
 
-If the service response includes the CORS headers, then the ID and content are rendered
-into the page. But if the CORS headers are missing (or insufficient for the
-client), the browser fails the request and the values are not rendered into the DOM.
+Here, the browser fails the request and the values are not rendered into the DOM because the CORS headers are missing
+(or insufficient for the client), since we only allowed cross-origin requests from http://localhost:9000, not
+http://localhost:9001.
 
 
 == Summary

complete/src/main/java/com/example/restservicecors/GreetingController.java

@@ -14,7 +14,7 @@ public class GreetingController {
 
 	private final AtomicLong counter = new AtomicLong();
 
-	@CrossOrigin(origins = "http://localhost:8080")
+	@CrossOrigin(origins = "http://localhost:9000")
 	@GetMapping("/greeting")
 	public Greeting greeting(@RequestParam(required = false, defaultValue = "World") String name) {
 		System.out.println("==== get greeting ====");

complete/src/main/java/com/example/restservicecors/RestServiceCorsApplication.java

@@ -18,7 +18,7 @@ public WebMvcConfigurer corsConfigurer() {
 		return new WebMvcConfigurer() {
 			@Override
 			public void addCorsMappings(CorsRegistry registry) {
-				registry.addMapping("/greeting-javaconfig").allowedOrigins("http://localhost:8080");
+				registry.addMapping("/greeting-javaconfig").allowedOrigins("http://localhost:9000");
 			}
 		};
 	}

complete/src/test/java/com/example/restservicecors/GreetingIntegrationTests.java

@@ -23,20 +23,20 @@ public class GreetingIntegrationTests {
 	@Test
 	public void corsWithAnnotation() throws Exception {
 		ResponseEntity<Greeting> entity = this.restTemplate.exchange(
-				RequestEntity.get(uri("/greeting")).header(HttpHeaders.ORIGIN, "http://localhost:8080").build(),
+				RequestEntity.get(uri("/greeting")).header(HttpHeaders.ORIGIN, "http://localhost:9000").build(),
 				Greeting.class);
 		assertEquals(HttpStatus.OK, entity.getStatusCode());
-		assertEquals("http://localhost:8080", entity.getHeaders().getAccessControlAllowOrigin());
+		assertEquals("http://localhost:9000", entity.getHeaders().getAccessControlAllowOrigin());
 		Greeting greeting = entity.getBody();
 		assertEquals("Hello, World!", greeting.getContent());
 	}
 
 	@Test
 	public void corsWithJavaconfig() {
 		ResponseEntity<Greeting> entity = this.restTemplate.exchange(RequestEntity.get(uri("/greeting-javaconfig"))
-				.header(HttpHeaders.ORIGIN, "http://localhost:8080").build(), Greeting.class);
+				.header(HttpHeaders.ORIGIN, "http://localhost:9000").build(), Greeting.class);
 		assertEquals(HttpStatus.OK, entity.getStatusCode());
-		assertEquals("http://localhost:8080", entity.getHeaders().getAccessControlAllowOrigin());
+		assertEquals("http://localhost:9000", entity.getHeaders().getAccessControlAllowOrigin());
 		Greeting greeting = entity.getBody();
 		assertEquals("Hello, World!", greeting.getContent());
 	}