Allow anonymous CORS preflight requests (`OPTIONS` requests to a path configured with CORS)

[ch4mpy]

Is your feature request related to a problem? Please describe. According to the CORS specification, a preflight request is sent without user credentials.

This is in contradiction with Spring default behavior which is to require all requests to be authorized, including OPTIONS and even for routes configured with CORS. And spring-addons-starter-oidc does the same (except for path listed in permit-all properties for which all HTTP verbs are allowed).

Describe the solution you'd like It would be a nice feature for spring-addons-starter-oidc to provide by default the required access-control configuration to conform to CORS preflight requests spec

• Allow anonymous OPTIONS requests by default for the path in CorsConfiguration properties having * or OPTIONS listed among allowed-methods
• have a flag to disable this feature

This would give something like:

          cors:
          - path: /machin/**
            allowed-methods:
            - OPTIONS
            - POST
          - path: /truc/**
            allowed-methods: *
            disable-anonymous-options: true

to specify that only OPTIONS to /machin/** should be allowed to anonymous

Describe alternatives you've considered

@Bean
WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring().requestMatchers(HttpMethod.OPTIONS, "/**");
}

But this opens probably too widly.

A finer grained alternative is exposing a bean implementing ExpressionInterceptUrlRegistryPostProcessor or HttpSecurityPostProcessor, but this is cumbersome and error prone

[ch4mpy]

Released with 7.4.1