CORS with allowedOriginPatterns and allowCredentials

[gunhol]

First of all thanks for the spring-addons!

While trying to switch from Spring Boot 2.x to 3.x and getting rid of the Keycloak adapters, I found this repo.

Most things seem to be working, one issue I have is with configuring CORS.
We always leveraged the spring-webmvc CorsRegistry's option of defining CORS allowed origins with allowedOriginPatterns and allowCredentials = true. How can I configure this with spring addons?

Thanks a lot in advance and keep up the great work!

[ch4mpy]

There are properties to define allowed origins, headers and methods, as well as exposed headers, per path matcher:

• com.c4-soft.springaddons.security.cors for OAuth2 resource servers
• com.c4-soft.springaddons.security.client.cors for OAuth2 clients

Sample usage in the BFF tutorial. Please note that this configuration is not necessary when accessing both the API and the Angular app through the gateway, in which case all requests share the same origin, but providing such configuration enables direct access to the API (or access through the gateway from a client which is served aside of it).

If you need more flexibility, please open a ticket to expose how and why (use case), or just expose a security "post-processor" bean to override CORS configuration (for instance, ResourceServerHttpSecurityPostProcessor in the case of a servlet based resource server). This enables to override anything from this repo starters auto configuration as it is called just before returning the security filter-chain.

Edit

@gholcleo maybe I had misunderstood your question and what you wanted is what was introduced with 7.0.0: allowed-origins was replaced with allowed-origin-patterns. Also, allow-credentials is now configurable from properties.

[gunhol]

What I wanted was introduced with 7.0.0 and I am very thankful for that 👍

keep up the good work 🚀