Fixing the Cors configuration to ensure that pre-flight requests return the Access-Control-Allow-Origin header

2019-09-18 09:45:00 +00:00 · 2019-09-18 09:45:00 +00:00 · 280f8d4dcb
commit 280f8d4dcb
parent 64440cf3e7
1 changed files with 13 additions and 10 deletions
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
@ -7,6 +7,7 @@ import com.appsmith.server.services.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
@ -15,6 +16,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.reactive.CorsConfigurationSource;
 import org.springframework.web.cors.reactive.CorsWebFilter;
 import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
@ -38,17 +40,16 @@ public class SecurityConfig {
     * @return
     */
    @Bean
-    CorsWebFilter corsWebFilter() {
+    CorsConfigurationSource corsConfigurationSource() {
-        CorsConfiguration corsConfig = new CorsConfiguration();
+        CorsConfiguration configuration = new CorsConfiguration();
-        corsConfig.setAllowedOrigins(Arrays.asList("*"));
+        configuration.setAllowedOrigins(Arrays.asList("*"));
-        corsConfig.setMaxAge(8000L);
+        configuration.setAllowedMethods(Arrays.asList("*"));
-        corsConfig.setAllowedHeaders(Arrays.asList("GET", "PUT", "POST", "HEAD", "OPTIONS", "DELETE"));
+        configuration.setAllowedHeaders(Arrays.asList("*"));
        configuration.setAllowCredentials(true);
-        UrlBasedCorsConfigurationSource source =
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-                new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
-        source.registerCorsConfiguration("/**", corsConfig);
+        return source;
        return new CorsWebFilter(source);
    }
    @Bean
@ -69,6 +70,8 @@ public class SecurityConfig {
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
                // This picks up the configurationSource from the bean corsConfigurationSource()
                .cors().and()
                .csrf().disable()
                .authorizeExchange()
                .anyExchange()