fixed Broken CORS Support with Spring Security #5834

spring-projects/spring-boot#5834
chuan-su · Aug 1, 2017 · 7c602fa · 7c602fa
1 parent 1a38264
commit 7c602fa
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/backend/src/main/java/se/klartext/app/KlartextApplication.java b/backend/src/main/java/se/klartext/app/KlartextApplication.java
@@ -25,10 +25,10 @@ public WebMvcConfigurer corsConfigurer() {
 		return new WebMvcConfigurerAdapter() {
 			@Override
 			public void addCorsMappings(CorsRegistry registry) {
-				registry.addMapping("/**");
+				registry.addMapping("/api/**")
+                        .allowedMethods("HEAD", "GET", "PUT", "POST", "DELETE", "PATCH");
 			}
 		};
 	}
-
 }
 
diff --git a/backend/src/main/java/se/klartext/app/security/SecurityConfig.java b/backend/src/main/java/se/klartext/app/security/SecurityConfig.java
@@ -17,13 +17,17 @@
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import se.klartext.app.security.filter.TokenAuthenticationFilter;
 import se.klartext.app.security.api.AuthenticationService;
 import se.klartext.app.security.impl.AuthenticationServiceImpl;
 import se.klartext.app.security.impl.AuthenticationUserDetailsServiceImpl;
 import se.klartext.app.security.impl.UserDetailsServiceImpl;
 
 import javax.servlet.http.HttpServletResponse;
+import java.util.Arrays;
 
 @Configuration
 @EnableWebSecurity
@@ -40,7 +44,8 @@ public void configure(WebSecurity web) throws Exception{
     }
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.csrf().disable()
+        http.cors().and()
+                .csrf().disable()
                 .authorizeRequests()
                 .anyRequest()
                 .authenticated()
@@ -92,4 +97,20 @@ public BCryptPasswordEncoder passwordEncoder(){
     public AuthenticationEntryPoint unauthorizedEntryPoint() {
         return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
     }
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        final CorsConfiguration configuration = new CorsConfiguration();
+        configuration.setAllowedOrigins(Arrays.asList("*"));
+        configuration.setAllowedMethods(Arrays.asList("HEAD",
+                "GET", "POST", "PUT", "DELETE", "PATCH"));
+        // setAllowCredentials(true) is important, otherwise:
+        // The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
+        configuration.setAllowCredentials(true);
+        // setAllowedHeaders is important! Without it, OPTIONS preflight request
+        // will fail with 403 Invalid CORS request
+        configuration.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "Content-Type"));
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
 }