From 30a3496cb76b5151e071d4e398b2ded12033873d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Wacongne?= <ch4mp@c4-soft.com>
Date: Sat, 24 Aug 2024 20:12:39 +0200
Subject: [PATCH] Update README.MD

---
 spring-addons-starter-oidc/README.MD | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/spring-addons-starter-oidc/README.MD b/spring-addons-starter-oidc/README.MD
index ead72e93a..3a5245cbe 100644
--- a/spring-addons-starter-oidc/README.MD
+++ b/spring-addons-starter-oidc/README.MD
@@ -219,9 +219,27 @@ The most convenient way to define fine-grained access control is probably to `@E
 For those preferring access control in configuration (or when you don't write the endpoint yourself), you can expose a `@Bean` of type `ResourceServerExpressionInterceptUrlRegistryPostProcessor` or `ResourceServerAuthorizeExchangeSpecPostProcessor`.
 
 #### 1.1.6. <a name="1-1-6"/>CORS Configuration
-If no `cors` property group is present, CORS is disabled. Otherwise, CORS is configured according to provided properties.
+If no `cors` property group is present, CORS is disabled. Otherwise, CORS is configured according to the provided properties.
 
-According to CORS spec, pre-flight requests should not be authorized. **As opposed to Spring Security default behavior, `spring-addons-starter-oidc` allows anonymous `OPTIONS` requests for the path-matchers in `cors` properties groups.**
+Starting from version `7.8.7`, the CORS configuration is made using a global filter, behavior of which is control with application properties:
+```java
+com:
+  c4-soft:
+    springaddons:
+      oidc:
+        cors:
+        - path: /machin/**
+          allowed-origin-patterns: "*"
+        - path: /truc/**
+          allowed-origin-patterns:
+          - "http://localhost:4200"
+          - "http://*.chose.com"
+```
+`spring-addons` CORS filter backs off if:
+- CORS configuration properties are absent (no CORS properties -> no CORS filter)
+- a `Cors(Web)Filter` bean is registered already in application configuration
+
+By default, anonymous `OPTIONS` requests are allowed for all path-matchers in `cors` properties groups.
 
 #### 1.1.7. <a name="1-1-7"/>Post-Process the Resource Server Filer-Chain
 By exposing a `ResourceServer(Server)HttpSecurityPostProcessor` bean, you get complete control of the `(Server)HttpSecurity` configured in the `resourceServerSecurityFilterChain` just before it is built. This allows to change about anything that was pre-configured.