From 280f8d4dcb98491f2383523bb7d5f13fd2e48807 Mon Sep 17 00:00:00 2001 From: Arpit Mohan Date: Wed, 18 Sep 2019 09:45:00 +0000 Subject: [PATCH] Fixing the Cors configuration to ensure that pre-flight requests return the ` Access-Control-Allow-Origin` header --- .../server/configurations/SecurityConfig.java | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java index cf0e18c520..6c305a604c 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java @@ -7,6 +7,7 @@ import com.appsmith.server.services.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; +import org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.core.userdetails.MapReactiveUserDetailsService; import org.springframework.security.core.userdetails.User; @@ -15,6 +16,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.reactive.CorsConfigurationSource; import org.springframework.web.cors.reactive.CorsWebFilter; import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource; @@ -38,17 +40,16 @@ public class SecurityConfig { * @return */ @Bean - CorsWebFilter corsWebFilter() { - CorsConfiguration corsConfig = new CorsConfiguration(); - corsConfig.setAllowedOrigins(Arrays.asList("*")); - corsConfig.setMaxAge(8000L); - corsConfig.setAllowedHeaders(Arrays.asList("GET", "PUT", "POST", "HEAD", "OPTIONS", "DELETE")); + CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration configuration = new CorsConfiguration(); + configuration.setAllowedOrigins(Arrays.asList("*")); + configuration.setAllowedMethods(Arrays.asList("*")); + configuration.setAllowedHeaders(Arrays.asList("*")); + configuration.setAllowCredentials(true); - UrlBasedCorsConfigurationSource source = - new UrlBasedCorsConfigurationSource(); - source.registerCorsConfiguration("/**", corsConfig); - - return new CorsWebFilter(source); + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", configuration); + return source; } @Bean @@ -69,6 +70,8 @@ public class SecurityConfig { @Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http + // This picks up the configurationSource from the bean corsConfigurationSource() + .cors().and() .csrf().disable() .authorizeExchange() .anyExchange()