Commit 29f47571 authored by femiadeyemi's avatar femiadeyemi
Browse files

fix cors issue

Motivation:

CORs is a technique that uses additional HTTP headers
to inform browsers to give a client application at a
particular origin access to requested resources at a
different origin. This was previous implemented but
needed some few adjustment to make it work.

Modification:

- Change the property name for allowed origin from
    cerebrum.allowed.client.origins to cerebrum.allowed.origins
    Hence it can be set in the command line as follow:
    `java -jar --cerebrum.allowed.origins=<comma-seperated-values>`
- Add OPTIONS method to the list of allowed methods and obtain
    the value of the property: `cerebrum.allowed.origins`

Result:

CORs now works

Target: master
Review: https://gitlab.hzdr.de/hifis-technical-platform/helmholtz-cerebrum/-/merge_requests/36
parent b32087bf
Pipeline #45233 canceled with stages
in 1 minute and 26 seconds
package de.helmholtz.marketplace.cerebrum.config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
......@@ -10,18 +11,19 @@ import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.Arrays;
import java.util.Collections;
import static org.springframework.security.config.Customizer.withDefaults;
import java.util.List;
@EnableWebSecurity
public class CerebrumSecurityConfig extends WebSecurityConfigurerAdapter
{
@Value("${cerebrum.allowed.origins}")
List<String> allowedOrigins;
@Override
protected void configure(HttpSecurity http) throws Exception {
protected void configure(HttpSecurity http) throws Exception
{
http
.cors(withDefaults())
.mvcMatcher("/**")
.cors().and()
.authorizeRequests()
.mvcMatchers("/api/v0/admin/**").hasRole("ADMIN")
.mvcMatchers("/", "/swagger-ui/**", "/api/**").permitAll()
......@@ -31,10 +33,11 @@ public class CerebrumSecurityConfig extends WebSecurityConfigurerAdapter
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfigurationSource corsConfigurationSource()
{
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Collections.singletonList("${cerebrum.allowed.client.origins}"));
configuration.setAllowedMethods(Arrays.asList("GET","DELETE","PUT","POST"));
configuration.setAllowedOrigins(allowedOrigins);
configuration.setAllowedMethods(Arrays.asList("GET","DELETE","PUT","POST", "OPTIONS"));
configuration.setAllowedHeaders(Arrays.asList("Authorization", "Cache-Control", "Content-Type"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
......
......@@ -3,10 +3,7 @@ cerebrum:
oauth2-token: ${token:notoken}
version: @project.version@
allowed:
client:
origins:
- https://localhost
- http://localhost:8080
origins: https://localhost:8080
logging:
level:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment