diff --git a/src/main/java/io/spring/api/security/CORSConfig.java b/src/main/java/io/spring/api/security/CORSConfig.java index 209dec5..e4f5d61 100644 --- a/src/main/java/io/spring/api/security/CORSConfig.java +++ b/src/main/java/io/spring/api/security/CORSConfig.java @@ -1,25 +1,14 @@ package io.spring.api.security; -import org.springframework.boot.web.servlet.FilterRegistrationBean; -import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.web.cors.CorsConfiguration; -import org.springframework.web.cors.UrlBasedCorsConfigurationSource; -import org.springframework.web.filter.CorsFilter; +import org.springframework.web.servlet.config.annotation.CorsRegistry; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; @Configuration -public class CORSConfig { - @Bean - public FilterRegistrationBean corsFilter() { - UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); - CorsConfiguration config = new CorsConfiguration(); - config.setAllowCredentials(true); - config.addAllowedOrigin("*"); - config.addAllowedHeader("*"); - config.addAllowedMethod("*"); - source.registerCorsConfiguration("/**", config); - FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source)); - bean.setOrder(0); - return bean; +public class CORSConfig extends WebMvcConfigurerAdapter { + @Override + public void addCorsMappings(CorsRegistry registry) { + registry.addMapping("/**") + .allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH"); } } diff --git a/src/main/java/io/spring/api/security/WebSecurityConfig.java b/src/main/java/io/spring/api/security/WebSecurityConfig.java index 58ba177..a404af0 100644 --- a/src/main/java/io/spring/api/security/WebSecurityConfig.java +++ b/src/main/java/io/spring/api/security/WebSecurityConfig.java @@ -9,6 +9,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; + +import static java.util.Arrays.asList; @Configuration @EnableWebSecurity @@ -21,6 +26,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable() + .cors() + .and() .exceptionHandling().authenticationEntryPoint(new Http401AuthenticationEntryPoint("Unauthenticated")) .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() @@ -33,4 +40,21 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { http.addFilterBefore(jwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); } + + @Bean + public CorsConfigurationSource corsConfigurationSource() { + final CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOrigins(asList("*")); + configuration.setAllowedMethods(asList("HEAD", + "GET", "POST", "PUT", "DELETE", "PATCH")); + // setAllowCredentials(true) is important, otherwise: + // The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. + configuration.setAllowCredentials(true); + // setAllowedHeaders is important! Without it, OPTIONS preflight request + // will fail with 403 Invalid CORS request + configuration.setAllowedHeaders(asList("Authorization", "Cache-Control", "Content-Type")); + final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + return source; + } }