2

When I tested my app locally using postman it was very confusing, I was able to access any /public path api, what am I doing wrong, but I found that my code really didn't do anything to protect the cors, I following this official guild:

https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html#page-title

    public static final String[] URL_WHITELIST = new String[]{
            "/static/**",
            "/api/public/**"
    };
    public static final String[] URL_ANONYMOUS = new String[]{
            "/api/auth/sign-in",
    };

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
            //...
                .securityMatcher("/api/**")
                .authorizeHttpRequests()
                .requestMatchers(URL_ANONYMOUS).anonymous()
                .requestMatchers(URL_WHITELIST).permitAll()
                .anyRequest().authenticated();
        return http.build();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource(){
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList(https://example.com,https://admin.example.com));
        configuration.setAllowedMethods(Arrays.asList("GET","POST","OPTIONS"));
        configuration.setMaxAge(3600L);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
Improve this question
4
  • CORS is not meant to strengthen security.
    – jub0bs
    Commented Apr 26, 2023 at 16:43
  • Is there any way to ensure that the api can only be accessed from the front-end application?
    – HappyKoala
    Commented Apr 26, 2023 at 16:57
  • 1
    No. But you should put authentication/authorisation in place, if the API isn't meant to be public.
    – jub0bs
    Commented Apr 26, 2023 at 21:08
  • Try to remove the securityMatcher, for me it start to work when I removed it.
    – digoferra
    Commented Dec 15, 2023 at 15:44

1 Answer 1

Reset to default
0

Use this:

  @Bean
  public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurer() {
      @Override
      public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**").allowedMethods("*");
      }
    };
  }

Also update your SecurityFilterChain. Don't disable cors. :

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http
        .csrf()
        .disable()
        .cors()
        .and()
        .authorizeRequests.......
Improve this answer
9
  • Still not working when i test using postman locally. I guess this is due to the fact that I have set permitAll. But the problem is that I don't know how to juggle public access and same source.
    – HappyKoala
    Commented Apr 26, 2023 at 15:26
  • 1
    sorry I misunderstood your problem. If you send request from postman you will never get cors error. CORS is depended to your browser and backend.
    – gurkan
    Commented Apr 26, 2023 at 15:29
  • I'm concerned that when putting the code on the server, the api with the /public path seems to be a security risk if someone uses postman to scrape it. I'm new to this and I don't know how to describe exactly what I need, but I just want my front-end pages to access this interface.
    – HappyKoala
    Commented Apr 26, 2023 at 15:33
  • 1
    Sorry but i think its impossible. If frontend can request to backend, you can send request from postman/curl or from anything else. But maybe you can implement ratelimiter to block too many requests
    – gurkan
    Commented Apr 26, 2023 at 15:37
  • 1
    I reviewed link that you have provided. I agree to him. You can mimic any request, even if you add unique identifier to your request. For example open network from chrome dev tools/F12 and right click to any request. You will able to copy request as CURL. You will get all params. headers etc.
    – gurkan
    Commented Apr 26, 2023 at 15:50

Not the answer you're looking for? Browse other questions tagged or ask your own question.