When I tested my app locally using postman it was very confusing, I was able to access any /public path api, what am I doing wrong, but I found that my code really didn't do anything to protect the cors, I following this official guild:
https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html#page-title
public static final String[] URL_WHITELIST = new String[]{
"/static/**",
"/api/public/**"
};
public static final String[] URL_ANONYMOUS = new String[]{
"/api/auth/sign-in",
};
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
//...
.securityMatcher("/api/**")
.authorizeHttpRequests()
.requestMatchers(URL_ANONYMOUS).anonymous()
.requestMatchers(URL_WHITELIST).permitAll()
.anyRequest().authenticated();
return http.build();
}
@Bean
CorsConfigurationSource corsConfigurationSource(){
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList(https://example.com,https://admin.example.com));
configuration.setAllowedMethods(Arrays.asList("GET","POST","OPTIONS"));
configuration.setMaxAge(3600L);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}