Refined production CORS configuration and streamlined /oauth2/token settings:

- Centralized CORS logic with distinct configuration for `/oauth2/token`. - Improved handling of allowed methods, headers, credentials, and max age.
2025-10-30 15:18:57 +01:00 · 2025-10-30 15:18:57 +01:00 · a3563449c8
commit a3563449c8
parent a289cce805
1 changed files with 10 additions and 10 deletions
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@ -101,13 +101,11 @@ public class SecurityConfig {
        return http.build();
    }

-    // Production CORS Configuration
    @Bean
    @Profile("!dev & !test")
    public CorsConfigurationSource prodCorsConfigurationSource() {
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

-
-        // CORS for /oauth2/token
        CorsConfiguration tokenConfiguration = new CorsConfiguration();
        if ("*".equals(oauthTokenCors)) {
            tokenConfiguration.setAllowedOriginPatterns(List.of("*"));
@ -120,33 +118,35 @@ public class SecurityConfig {
                tokenConfiguration.setAllowedOrigins(Arrays.asList(tokenOrigins));
            }
        }
+        tokenConfiguration.setAllowedMethods(Arrays.asList("POST", "OPTIONS"));
+        tokenConfiguration.setAllowedHeaders(List.of("*"));
+        tokenConfiguration.setAllowCredentials(true);
+        tokenConfiguration.setMaxAge(3600L);
+
+
+        source.registerCorsConfiguration("/oauth2/token", tokenConfiguration);
+

        CorsConfiguration configuration = new CorsConfiguration();
-
        if ("*".equals(allowedCors)) {
            configuration.setAllowedOriginPatterns(List.of("*"));
        } else {
-            // Parse comma-separated origins from property
            String[] origins = allowedCors.split(",");
            for (int i = 0; i < origins.length; i++) {
                origins[i] = origins[i].trim();
            }
-
            if (origins.length != 0) {
                configuration.setAllowedOrigins(Arrays.asList(origins));
            }
        }
-
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(List.of("*"));
        configuration.setAllowCredentials(true);
        configuration.setMaxAge(3600L);
-
        configuration.setExposedHeaders(Arrays.asList("X-Total-Count", "X-Page-Count", "X-Current-Page"));

-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
-        source.registerCorsConfiguration("/oauth2/token", tokenConfiguration);
+
        return source;
    }