fix: cors not disabled (#200)

steve192 · web-flow · commit 6422e3650e66 · 2023-10-03T18:24:46.000+02:00
diff --git a/src/main/java/com/sterul/opencookbookapiserver/configurations/security/WebSecurityConfiguration.java b/src/main/java/com/sterul/opencookbookapiserver/configurations/security/WebSecurityConfiguration.java
@@ -1,11 +1,13 @@
 package com.sterul.opencookbookapiserver.configurations.security;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@@ -18,6 +20,7 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.cors.CorsConfiguration;
 
 import com.sterul.opencookbookapiserver.configurations.security.requestfilters.JwtRequestFilter;
 
@@ -70,7 +73,7 @@ private RequestMatcher allowedPathRequestMatcher() {
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
         // Cors and csrf not needed in an api server
-        http.cors(configurer -> configurer.disable());
+        http.cors(configurer -> configurer.configurationSource(c -> allowAllCorsConfig()));
         http.csrf(conf -> conf.disable());
 
         // Allow frames needed for h2 console
@@ -93,7 +96,21 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         return http.build();
     }
 
-    @Bean
+    private CorsConfiguration allowAllCorsConfig() {
+        List<String> permittedCorsMethods = Collections.unmodifiableList(Arrays.asList(
+                HttpMethod.GET.name(),
+                HttpMethod.HEAD.name(),
+                HttpMethod.POST.name(),
+                HttpMethod.PUT.name(),
+                HttpMethod.DELETE.name()));
+
+        var corsConfiguration = new CorsConfiguration().applyPermitDefaultValues();
+        corsConfiguration.setAllowedMethods(permittedCorsMethods);
+        return corsConfiguration;
+        
+}
+
+@Bean
     public AuthenticationManager authenticationManager(HttpSecurity http)
             throws Exception {
         return http.getSharedObject(AuthenticationManagerBuilder.class)
