added corsFilter to filter chain for default requests, tweak to cors …

…filter
ORCID · Nov 7, 2024 · 9a02b31 · 9a02b31
1 parent 98baf91
commit 9a02b31
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java
@@ -37,7 +37,8 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
             if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
                 // CORS "pre-flight" request
                 response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
+                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token,x-xsrf-token");
+                return;
             }
         }
 

diff --git a/orcid-web/src/main/resources/orcid-frontend-security.xml b/orcid-web/src/main/resources/orcid-frontend-security.xml
@@ -249,6 +249,7 @@
 		<sec:headers>
 			<sec:frame-options policy="SAMEORIGIN" />
 		</sec:headers>
+		<sec:custom-filter position="CORS_FILTER" ref="corsFilterWeb" />
 		<sec:custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />
 		<sec:intercept-url pattern="/"
 			access="IS_AUTHENTICATED_ANONYMOUSLY" />