Made CorsFilter Policy configurable because of IllegalStateException …

…due to miss configuration
adorsys · Nov 13, 2023 · 54f0ff5 · 54f0ff5
1 parent f3a00ab
commit 54f0ff5
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 4 deletions.
diff --git a/...secret-server/src/main/java/de/adorsys/sts/secretserver/configuration/CorsProperties.java b/...secret-server/src/main/java/de/adorsys/sts/secretserver/configuration/CorsProperties.java
@@ -0,0 +1,14 @@
+package de.adorsys.sts.secretserver.configuration;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix = "cors")
+@Data
+public class CorsProperties {
+    private String[] allowedOrigins;
+    private String allowedHeaders;
+    private String[] allowedMethods;
+}
diff --git a/...server/src/main/java/de/adorsys/sts/secretserver/configuration/SecurityConfiguration.java b/...server/src/main/java/de/adorsys/sts/secretserver/configuration/SecurityConfiguration.java
@@ -15,6 +15,8 @@
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
+import java.util.Arrays;
+
 @Configuration
 @EnableWebSecurity
 public class SecurityConfiguration {
@@ -42,19 +44,20 @@ protected SecurityFilterChain securityFilterChain(HttpSecurity http, TokenAuthen
     }
 
     @Bean
-    public CorsFilter corsFilter() {
+    public CorsFilter corsFilter(CorsProperties corsProperties) {
         CorsConfiguration config = new CorsConfiguration();
         config.setAllowCredentials(true);
-        config.addAllowedOrigin("*");
-        config.addAllowedHeader("*");
-        config.addAllowedMethod("*");
+        Arrays.stream(corsProperties.getAllowedOrigins()).forEach(config::addAllowedOrigin);
+        config.addAllowedHeader(corsProperties.getAllowedHeaders());
+        Arrays.stream(corsProperties.getAllowedMethods()).forEach(config::addAllowedMethod);
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", config);
 
         return new CorsFilter(source);
     }
 
+
     @Bean
     public WebSecurityCustomizer customize() {
         return (web) -> web.ignoring().requestMatchers(

diff --git a/sts-secret-server/src/main/resources/application-dev.yml b/sts-secret-server/src/main/resources/application-dev.yml
@@ -11,6 +11,11 @@ spring:
   jpa:
     show-sql: false
 
+cors:
+  allowedOrigins: "*"
+  allowedHeaders: "*"
+  allowedMethods: GET,POST,PUT,DELETE
+
 sts:
   secret-server:
     secret-length: 8192

diff --git a/sts-secret-server/src/main/resources/application.yml b/sts-secret-server/src/main/resources/application.yml
@@ -26,6 +26,11 @@ spring:
       - org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration
       - org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration
 
+cors:
+  allowedOrigins: "*"
+  allowedHeaders: "*"
+  allowedMethods: GET,POST,PUT,DELETE
+
 sts:
   secret:
     secret-length: 2048