Expose CorsConfigurationSource and use in security

vitorhugo-java · vitorhugo-java · commit f657ab83c314 · 2026-02-15T12:37:13.000-03:00
Add a CorsConfigurationSource bean and centralize origin parsing so the CORS policy can be reused by Spring Security. The change extracts origin parsing into parseOrigins(), configures allowed origins/methods/headers/exposed headers/credentials/maxAge and registers it for /**. SecurityConfig now injects the CorsConfigurationSource and applies it via cors(configurationSource), and CSRF disabling is updated to use AbstractHttpConfigurer::disable. Also removes duplicated parsing in addCorsMappings.
diff --git a/src/main/java/com/espacogeek/geek/config/CorsConfig.java b/src/main/java/com/espacogeek/geek/config/CorsConfig.java
@@ -5,8 +5,13 @@
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import java.util.Arrays;
+import java.util.List;
 
 @Configuration
 public class CorsConfig implements WebMvcConfigurer {
@@ -19,10 +24,7 @@ public class CorsConfig implements WebMvcConfigurer {
 
     @Override
     public void addCorsMappings(@NonNull CorsRegistry registry) {
-        String[] origins = Arrays.stream(allowedOrigins.split(","))
-                .map(String::trim)
-                .filter(s -> !s.isEmpty())
-                .toArray(String[]::new);
+        String[] origins = parseOrigins();
 
         registry.addMapping("/**")
             .allowedOrigins(origins) // exact origins, not '*'
@@ -32,4 +34,28 @@ public void addCorsMappings(@NonNull CorsRegistry registry) {
             .exposedHeaders("Authorization", "Content-Type")
             .maxAge(expirationMs / 1000); // seconds
     }
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        String[] origins = parseOrigins();
+
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowedOrigins(Arrays.asList(origins));
+        config.setAllowedMethods(List.of("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
+        config.setAllowedHeaders(List.of("Authorization", "Content-Type", "X-Requested-With", "Accept"));
+        config.setExposedHeaders(List.of("Authorization", "Content-Type"));
+        config.setAllowCredentials(true);
+        config.setMaxAge(expirationMs / 1000);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
+
+    private String[] parseOrigins() {
+        return Arrays.stream(allowedOrigins.split(","))
+            .map(String::trim)
+            .filter(s -> !s.isEmpty())
+            .toArray(String[]::new);
+    }
 }
diff --git a/src/main/java/com/espacogeek/geek/config/SecurityConfig.java b/src/main/java/com/espacogeek/geek/config/SecurityConfig.java
@@ -8,10 +8,12 @@
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfigurationSource;
 
 import com.espacogeek.geek.services.impl.UserDetailsServiceImpl;
 
@@ -33,6 +35,9 @@ public class SecurityConfig {
     @Autowired
     private JwtAuthenticationFilter jwtAuthenticationFilter;
 
+    @Autowired
+    private CorsConfigurationSource corsConfigurationSource;
+
     @Bean
     public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
         return authenticationConfiguration.getAuthenticationManager();
@@ -50,8 +55,8 @@ public SecurityFilterChain configure(HttpSecurity http) throws Exception {
         var authenticationManager = authenticationManagerBuilder.build();
 
         return http
-                .cors(withDefaults())
-                .csrf(csrf -> csrf.disable())
+                .cors(cors -> cors.configurationSource(corsConfigurationSource))
+                .csrf(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(auth -> {
                     auth.requestMatchers("/", "/graphiql", "/graphiql/**", "/favicon.ico").permitAll();
                     auth.requestMatchers("/actuator/**").permitAll();
