urban/hemhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refine CORS settings and update security configuration
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Urban Modig
2025-10-13 21:28:25 +02:00
parent a56d995d0f
commit 004ea4eca4
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/main/java/se/urmo/hemhub/config/SecurityConfig.java
View File

@ -2,6 +2,8 @@ package se.urmo.hemhub.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod; // 👈
import org.springframework.security.config.Customizer; // 👈
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@ -21,12 +23,14 @@ public class SecurityConfig {
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.cors(Customizer.withDefaults())
.authorizeHttpRequests(auth -> auth
.requestMatchers(
"/public/**",
"/actuator/health", "/actuator/info",
"/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html"
).permitAll()
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth -> oauth.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter())));
@ -37,12 +41,12 @@ public class SecurityConfig {
CorsConfigurationSource corsConfigurationSource() {
var config = new CorsConfiguration();
config.setAllowedOrigins(List.of(
"http://localhost:5173", // dev-SPA
"https://rubble.se" // prod-origin (SPA under /hemhub/app/)
"http://localhost:5173", // dev-SPA
"https://rubble.se" // prod-origin (SPA ligger under subpath men origin är domen)
));
config.setAllowedMethods(List.of("GET","POST","PATCH","DELETE","OPTIONS"));
config.setAllowedHeaders(List.of("Authorization","Content-Type","Accept"));
config.setAllowCredentials(false); // vi använder Bearer, inte cookies
config.setAllowCredentials(false); // Bearer, inga cookies
config.setMaxAge(3600L);
var source = new UrlBasedCorsConfigurationSource();
@ -57,4 +61,3 @@ public class SecurityConfig {
return converter;
}
}