Fix #24466: allow configuring CORS

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -45,6 +45,7 @@
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
 import org.springframework.security.web.header.writers.StaticHeadersWriter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 
 import javax.inject.Inject;
@@ -54,6 +55,8 @@
 import java.io.IOException;
 import java.util.List;
 
+import static eu.openanalytics.containerproxy.ui.TemplateResolverConfig.PROP_CORS_ALLOWED_ORIGINS;
+
 @Configuration
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@@ -107,6 +110,11 @@ private void checkForIncorrectConfiguration(HttpServletRequest request) {
 
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
+		if (environment.getProperty(PROP_CORS_ALLOWED_ORIGINS + "[0]") != null) {
+			// enable cors
+			http.cors();
+		}
+
 		// App Recovery Filter
 		http.addFilterAfter(appRecoveryFilter, BasicAuthenticationFilter.class);
 

src/main/java/eu/openanalytics/containerproxy/ui/TemplateResolverConfig.java

@@ -20,25 +20,33 @@
  */
 package eu.openanalytics.containerproxy.ui;
 
-import javax.inject.Inject;
-
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 
+import javax.annotation.Nonnull;
+import javax.inject.Inject;
+import java.util.ArrayList;
+import java.util.List;
+
 @Configuration
 public class TemplateResolverConfig implements WebMvcConfigurer {
 
+	private static final String PROP_TEMPLATE_PATH = "proxy.template-path";
+
+	public static final String PROP_CORS_ALLOWED_ORIGINS = "proxy.api-security.cors-allowed-origins";
+
 	@Inject
     private Environment environment;
 
 	@Override
 	public void addResourceHandlers(ResourceHandlerRegistry registry) {
 		registry.addResourceHandler("/assets/**")
-			.addResourceLocations("file:" + environment.getProperty("proxy.template-path") + "/assets/");
+			.addResourceLocations("file:" + environment.getProperty(PROP_TEMPLATE_PATH) + "/assets/");
 	}
 
 	@Bean
@@ -52,4 +60,23 @@ public FileTemplateResolver templateResolver() {
 		resolver.setOrder(1);
 		return resolver;
 	}
-}
+
+	@Override
+	public void addCorsMappings(@Nonnull CorsRegistry registry) {
+		List<String> origins = new ArrayList<>();
+		int i = 0;
+		String origin = environment.getProperty(String.format(PROP_CORS_ALLOWED_ORIGINS + "[%d]", i));
+		while (origin != null) {
+			origins.add(origin);
+			i++;
+			origin = environment.getProperty(String.format(PROP_CORS_ALLOWED_ORIGINS + "[%d]", i));
+		}
+
+		if (origins.size() > 0) {
+			registry.addMapping("/**")
+					.allowCredentials(true)
+					.allowedOrigins(origins.toArray(new String[0]));
+		}
+	}
+
+}