control de options

src/main/java/erp/pedidos/authz/conf/JWTAuthenticationFilter.java

@@ -107,7 +107,7 @@ public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilte
         public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
                 throws IOException, ServletException {
             response.setStatus(401);
-            response.setContentType("application/json");
+            response.setContentType("application/json; charset=utf-8");
             response.getWriter().append(json(exception.getLocalizedMessage()));
 
         }
@@ -117,7 +117,7 @@ public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilte
             return "{\"timestamp\": " + date + ", "
                 + "\"status\": 401, "
                 + "\"error\": \"Not authorized\", "
-                + "\"message\": "+ message+ ", "
+                + "\"message\": \""+ message+ "\", "
                 + "\"path\": \"/login\"}";
         }
 	}

src/main/java/erp/pedidos/authz/conf/SecurityConfiguration.java

@@ -1,5 +1,8 @@
 package erp.pedidos.authz.conf;
 
+import java.util.Arrays;
+import java.util.Collections;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -8,6 +11,10 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
 import erp.pedidos.authz.service.UserService;
 
 @Configuration
@@ -23,6 +30,8 @@ public class SecurityConfiguration{
 
 		http
 		.csrf().disable()
+		.cors()
+		.and()
 		.authorizeHttpRequests((authorize) -> authorize
 				.requestMatchers("/login").permitAll()
 				.requestMatchers("/swagger-ui/*").permitAll()
@@ -36,4 +45,33 @@ public class SecurityConfiguration{
 		return http.build();
 
 	}
+
+	@Bean
+    protected CorsConfigurationSource corsConfigurationSource() {
+        final CorsConfiguration configuration = new CorsConfiguration();
+
+        configuration.setAllowedOrigins(Collections.singletonList("http://localhost:3000"));
+        configuration.setAllowedMethods(Arrays.asList("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH"));
+
+        // NOTE: setAllowCredentials(true) is important,
+        // otherwise, the value of the 'Access-Control-Allow-Origin' header in the response
+        // must not be the wildcard '*' when the request's credentials mode is 'include'.
+        configuration.setAllowCredentials(true);
+
+        // NOTE: setAllowedHeaders is important!
+        // Without it, OPTIONS preflight request will fail with 403 Invalid CORS request
+        configuration.setAllowedHeaders(Arrays.asList(
+                "Authorization",
+                "Accept",
+                "Cache-Control",
+                "Content-Type",
+                "Origin",
+                "x-csrf-token",
+                "x-requested-with"
+        ));
+
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
 }