If you’re using an annotation based security config file (@EnableWebSecurity
& @Configuration
) you can do something like the following in the configure()
method to allow for the OPTION
requests to be permitted by Spring Security without authentication for a given path:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS,"/path/to/allow").permitAll()//allow CORS option calls
.antMatchers("/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
}