Server: Cors handling

Cors headers were not set when there was no security context (401)
or authorizatin issue (403).

This was a pb because Chrome didn't call fetch.then(xxx), but
instead fetch.catch(xxx) and we didn't have access to statusCode
in catch.

See :
 * spring-projects/spring-boot#5834
 * JakeChampion/fetch#201

service/src/main/java/org/malta/iam/Application.java

@@ -1,29 +1,29 @@
 package org.malta.iam;
 
+import java.util.Arrays;
+
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import springfox.documentation.swagger2.annotations.EnableSwagger2;
 
 @SpringBootApplication
-//@EnableResourceServer
-//@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
 @EnableSwagger2
 public class Application {
     public static void main(String[] args) {
         SpringApplication.run(Application.class, args);
     }
 
     @Bean
-    public WebMvcConfigurer corsConfigurer() {
-        return new WebMvcConfigurerAdapter() {
-            @Override
-            public void addCorsMappings(CorsRegistry registry) {
-                registry.addMapping("/**").allowedOrigins("*");
-            }
-        };
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+        configuration.setAllowedOrigins(Arrays.asList("*"));
+        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT"));
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
     }
 }

service/src/main/java/org/malta/iam/config/OAuth2ResourceServerConfig.java

@@ -0,0 +1,39 @@
+package org.malta.iam.config;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
+import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+/**
+ * Notes :
+ * * Cors with spring-security issue, see https://github.com/spring-projects/spring-boot/issues/5834
+ *
+ * @author agonzalez
+ */
+@Configuration
+@EnableResourceServer
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
+public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
+
+    @Autowired
+    private CorsConfigurationSource corsConfigurationSource;
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        CorsFilter corsFilter = new CorsFilter(corsConfigurationSource);
+        http
+                .addFilterBefore(corsFilter, AbstractPreAuthenticatedProcessingFilter.class)
+                .cors().and()
+                .csrf().disable()
+                .authorizeRequests()
+                .antMatchers("/**").authenticated();
+    }
+}