Skip to content

Commit

Permalink
Update README.MD
Browse files Browse the repository at this point in the history
  • Loading branch information
ch4mpy authored Aug 24, 2024
1 parent 3169170 commit 30a3496
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions spring-addons-starter-oidc/README.MD
Original file line number Diff line number Diff line change
Expand Up @@ -219,9 +219,27 @@ The most convenient way to define fine-grained access control is probably to `@E
For those preferring access control in configuration (or when you don't write the endpoint yourself), you can expose a `@Bean` of type `ResourceServerExpressionInterceptUrlRegistryPostProcessor` or `ResourceServerAuthorizeExchangeSpecPostProcessor`.

#### 1.1.6. <a name="1-1-6"/>CORS Configuration
If no `cors` property group is present, CORS is disabled. Otherwise, CORS is configured according to provided properties.
If no `cors` property group is present, CORS is disabled. Otherwise, CORS is configured according to the provided properties.

According to CORS spec, pre-flight requests should not be authorized. **As opposed to Spring Security default behavior, `spring-addons-starter-oidc` allows anonymous `OPTIONS` requests for the path-matchers in `cors` properties groups.**
Starting from version `7.8.7`, the CORS configuration is made using a global filter, behavior of which is control with application properties:
```java
com:
c4-soft:
springaddons:
oidc:
cors:
- path: /machin/**
allowed-origin-patterns: "*"
- path: /truc/**
allowed-origin-patterns:
- "http://localhost:4200"
- "http://*.chose.com"
```
`spring-addons` CORS filter backs off if:
- CORS configuration properties are absent (no CORS properties -> no CORS filter)
- a `Cors(Web)Filter` bean is registered already in application configuration

By default, anonymous `OPTIONS` requests are allowed for all path-matchers in `cors` properties groups.

#### 1.1.7. <a name="1-1-7"/>Post-Process the Resource Server Filer-Chain
By exposing a `ResourceServer(Server)HttpSecurityPostProcessor` bean, you get complete control of the `(Server)HttpSecurity` configured in the `resourceServerSecurityFilterChain` just before it is built. This allows to change about anything that was pre-configured.
Expand Down

0 comments on commit 30a3496

Please sign in to comment.