avatic/lcc_tool
avatic/lcc_tool
1
0
Fork 0
Code Issues 31 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Refined production CORS configuration and streamlined /oauth2/token settings:

Browse source 
- Centralized CORS logic with distinct configuration for `/oauth2/token`.
- Improved handling of allowed methods, headers, credentials, and max age.
This commit is contained in:
Jan 2025-10-30 15:18:57 +01:00
parent a289cce805
commit a3563449c8
1 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/main/java/de/avatic/lcc/config/SecurityConfig.java
View file

@ -101,13 +101,11 @@ public class SecurityConfig {
return http.build(); return http.build();
} }
// Production CORS Configuration
@Bean @Bean
@Profile("!dev & !test") @Profile("!dev & !test")
public CorsConfigurationSource prodCorsConfigurationSource() { public CorsConfigurationSource prodCorsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
// CORS for /oauth2/token
CorsConfiguration tokenConfiguration = new CorsConfiguration(); CorsConfiguration tokenConfiguration = new CorsConfiguration();
if ("*".equals(oauthTokenCors)) { if ("*".equals(oauthTokenCors)) {
tokenConfiguration.setAllowedOriginPatterns(List.of("*")); tokenConfiguration.setAllowedOriginPatterns(List.of("*"));
@ -120,33 +118,35 @@ public class SecurityConfig {
tokenConfiguration.setAllowedOrigins(Arrays.asList(tokenOrigins)); tokenConfiguration.setAllowedOrigins(Arrays.asList(tokenOrigins));
} }
} }
tokenConfiguration.setAllowedMethods(Arrays.asList("POST", "OPTIONS"));
tokenConfiguration.setAllowedHeaders(List.of("*"));
tokenConfiguration.setAllowCredentials(true);
tokenConfiguration.setMaxAge(3600L);
source.registerCorsConfiguration("/oauth2/token", tokenConfiguration);
CorsConfiguration configuration = new CorsConfiguration(); CorsConfiguration configuration = new CorsConfiguration();
if ("*".equals(allowedCors)) { if ("*".equals(allowedCors)) {
configuration.setAllowedOriginPatterns(List.of("*")); configuration.setAllowedOriginPatterns(List.of("*"));
} else { } else {
// Parse comma-separated origins from property
String[] origins = allowedCors.split(","); String[] origins = allowedCors.split(",");
for (int i = 0; i < origins.length; i++) { for (int i = 0; i < origins.length; i++) {
origins[i] = origins[i].trim(); origins[i] = origins[i].trim();
} }
if (origins.length != 0) { if (origins.length != 0) {
configuration.setAllowedOrigins(Arrays.asList(origins)); configuration.setAllowedOrigins(Arrays.asList(origins));
} }
} }
configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS")); configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders(List.of("*")); configuration.setAllowedHeaders(List.of("*"));
configuration.setAllowCredentials(true); configuration.setAllowCredentials(true);
configuration.setMaxAge(3600L); configuration.setMaxAge(3600L);
configuration.setExposedHeaders(Arrays.asList("X-Total-Count", "X-Page-Count", "X-Current-Page")); configuration.setExposedHeaders(Arrays.asList("X-Total-Count", "X-Page-Count", "X-Current-Page"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration); source.registerCorsConfiguration("/**", configuration);
source.registerCorsConfiguration("/oauth2/token", tokenConfiguration);
return source; return source;
} }