diff --git a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java index 19124e5..e81360a 100644 --- a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java +++ b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java @@ -7,9 +7,13 @@ /// Type-safe CORS configuration properties bound from `spring.web.cors`. @ConfigurationProperties(prefix = "spring.web.cors") public record CorsProperties( - List allowedOrigins + List allowedOrigins, + List allowedOriginPatterns ) { public CorsProperties { + if (allowedOriginPatterns == null) { + allowedOriginPatterns = List.of(); + } if (allowedOrigins == null) { allowedOrigins = List.of(); } diff --git a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java index 8105a5d..9242ef9 100644 --- a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java +++ b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java @@ -54,7 +54,16 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) { @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); - configuration.setAllowedOrigins(corsProperties.allowedOrigins()); + + // Exact origins (no wildcard, safe with allowCredentials) + if (!corsProperties.allowedOrigins().isEmpty()) { + configuration.setAllowedOrigins(corsProperties.allowedOrigins()); + } + + if (!corsProperties.allowedOriginPatterns().isEmpty()) { + configuration.setAllowedOriginPatterns(corsProperties.allowedOriginPatterns()); + } + configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS")); configuration.setAllowedHeaders(List.of("*")); configuration.setAllowCredentials(true); diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 4b9adad..fac3c27 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -5,8 +5,11 @@ spring: # Disables serving of static resources (HTML, JS, CSS, images). add-mappings: false cors: - # URLs allowed to make cross-origin API calls, set via SPRING_WEB_CORS_ALLOWED_ORIGINS env var (comma-separated list). + # Exact origins — set via SPRING_WEB_CORS_ALLOWED_ORIGINS env var (comma-separated). + # Use for known, fixed origins. allowed-origins: ${SPRING_WEB_CORS_ALLOWED_ORIGINS:} + # Pattern-based origins — set via SPRING_WEB_CORS_ALLOWED_ORIGIN_PATTERNS env var (comma-separated). + allowed-origin-patterns: ${SPRING_WEB_CORS_ALLOWED_ORIGIN_PATTERNS:} jackson: # Serializes all JSON fields as snake_case (for example templateIdentifier → template_identifier).