Refine CORS settings and update security configuration
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
Urban Modig
@ -2,6 +2,8 @@ package se.urmo.hemhub.config;
|
|||||||
|
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.http.HttpMethod; // 👈
|
||||||
|
import org.springframework.security.config.Customizer; // 👈
|
||||||
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||||
@ -21,12 +23,14 @@ public class SecurityConfig {
|
|||||||
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.csrf(AbstractHttpConfigurer::disable)
|
.csrf(AbstractHttpConfigurer::disable)
|
||||||
|
.cors(Customizer.withDefaults())
|
||||||
.authorizeHttpRequests(auth -> auth
|
.authorizeHttpRequests(auth -> auth
|
||||||
.requestMatchers(
|
.requestMatchers(
|
||||||
"/public/**",
|
"/public/**",
|
||||||
"/actuator/health", "/actuator/info",
|
"/actuator/health", "/actuator/info",
|
||||||
"/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html"
|
"/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html"
|
||||||
).permitAll()
|
).permitAll()
|
||||||
|
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
|
||||||
.anyRequest().authenticated()
|
.anyRequest().authenticated()
|
||||||
)
|
)
|
||||||
.oauth2ResourceServer(oauth -> oauth.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter())));
|
.oauth2ResourceServer(oauth -> oauth.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter())));
|
||||||
@ -38,11 +42,11 @@ public class SecurityConfig {
|
|||||||
var config = new CorsConfiguration();
|
var config = new CorsConfiguration();
|
||||||
config.setAllowedOrigins(List.of(
|
config.setAllowedOrigins(List.of(
|
||||||
"http://localhost:5173", // dev-SPA
|
"http://localhost:5173", // dev-SPA
|
||||||
"https://rubble.se" // prod-origin (SPA under /hemhub/app/)
|
"https://rubble.se" // prod-origin (SPA ligger under subpath men origin är domen)
|
||||||
));
|
));
|
||||||
config.setAllowedMethods(List.of("GET","POST","PATCH","DELETE","OPTIONS"));
|
config.setAllowedMethods(List.of("GET","POST","PATCH","DELETE","OPTIONS"));
|
||||||
config.setAllowedHeaders(List.of("Authorization","Content-Type","Accept"));
|
config.setAllowedHeaders(List.of("Authorization","Content-Type","Accept"));
|
||||||
config.setAllowCredentials(false); // vi använder Bearer, inte cookies
|
config.setAllowCredentials(false); // Bearer, inga cookies
|
||||||
config.setMaxAge(3600L);
|
config.setMaxAge(3600L);
|
||||||
|
|
||||||
var source = new UrlBasedCorsConfigurationSource();
|
var source = new UrlBasedCorsConfigurationSource();
|
||||||
@ -57,4 +61,3 @@ public class SecurityConfig {
|
|||||||
return converter;
|
return converter;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user