Spring Security can now leverage Spring MVC CORS support described in this blog post I wrote. To make it work, you need to explicitly enable CORS support at Spring Security level as following, otherwise CORS enabled requests may be blocked by Spring Security before reaching Spring MVC. If you are using controller level @CrossOrigin annotations, … Read more
CORS’ preflight request uses HTTP OPTIONS without credentials, see Cross-Origin Resource Sharing: Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints: Include an … Read more
You have to name your authority with prefix ROLE_ to use isUserInRole, see Spring Security Reference: The HttpServletRequest.isUserInRole(String) will determine if SecurityContextHolder.getContext().getAuthentication().getAuthorities() contains a GrantedAuthority with the role passed into isUserInRole(String). Typically users should not pass in the “ROLE_” prefix into this method since it is added automatically. For example, if you want to determine … Read more