Add CORS support for DDI API (#2337)
For instance if used in remote swagger or web apps Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
@@ -27,6 +27,7 @@ import org.eclipse.hawkbit.security.controller.SecurityHeaderAuthenticator;
|
||||
import org.eclipse.hawkbit.security.controller.SecurityTokenAuthenticator;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
@@ -88,17 +89,16 @@ class ControllerSecurityConfiguration {
|
||||
return filterRegBean;
|
||||
}
|
||||
|
||||
|
||||
@Bean
|
||||
@Order(301)
|
||||
protected SecurityFilterChain filterChainDDI(final HttpSecurity http) throws Exception {
|
||||
protected SecurityFilterChain filterChainDDI(
|
||||
final HttpSecurity http,
|
||||
@Value("${hawkbit.server.security.cors.disableForDdiApi:false}") final boolean disableCorsForDdiApi) throws Exception {
|
||||
http
|
||||
.securityMatcher(DDI_ANT_MATCHERS)
|
||||
.csrf(AbstractHttpConfigurer::disable);
|
||||
|
||||
if (securityProperties.isRequireSsl()) {
|
||||
http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure());
|
||||
}
|
||||
|
||||
http
|
||||
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
||||
.anonymous(AbstractHttpConfigurer::disable)
|
||||
@@ -119,6 +119,15 @@ class ControllerSecurityConfiguration {
|
||||
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
||||
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
||||
|
||||
|
||||
if (securityProperties.getCors().isEnabled() && !disableCorsForDdiApi) {
|
||||
http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource()));
|
||||
}
|
||||
|
||||
if (securityProperties.isRequireSsl()) {
|
||||
http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure());
|
||||
}
|
||||
|
||||
MdcHandler.Filter.addMdcFilter(http);
|
||||
|
||||
return http.build();
|
||||
|
||||
@@ -37,8 +37,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
||||
import org.springframework.security.web.session.SessionManagementFilter;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import org.springframework.web.cors.CorsConfigurationSource;
|
||||
|
||||
/**
|
||||
* Security configuration for the REST management API.
|
||||
@@ -110,7 +108,7 @@ public class MgmtSecurityConfiguration {
|
||||
SessionManagementFilter.class);
|
||||
|
||||
if (securityProperties.getCors().isEnabled()) {
|
||||
http.cors(configurer -> configurer.configurationSource(corsConfigurationSource()));
|
||||
http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource()));
|
||||
}
|
||||
|
||||
if (securityProperties.isRequireSsl()) {
|
||||
@@ -136,15 +134,4 @@ public class MgmtSecurityConfiguration {
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
private CorsConfigurationSource corsConfigurationSource() {
|
||||
final CorsConfiguration corsConfiguration = new CorsConfiguration();
|
||||
|
||||
corsConfiguration.setAllowedOrigins(securityProperties.getCors().getAllowedOrigins());
|
||||
corsConfiguration.setAllowCredentials(true);
|
||||
corsConfiguration.setAllowedHeaders(securityProperties.getCors().getAllowedHeaders());
|
||||
corsConfiguration.setAllowedMethods(securityProperties.getCors().getAllowedMethods());
|
||||
corsConfiguration.setExposedHeaders(securityProperties.getCors().getExposedHeaders());
|
||||
return request -> corsConfiguration;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -15,6 +15,8 @@ import java.util.List;
|
||||
|
||||
import lombok.Data;
|
||||
import org.springframework.boot.context.properties.ConfigurationProperties;
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
import org.springframework.web.cors.CorsConfigurationSource;
|
||||
|
||||
/**
|
||||
* Security related hawkBit configuration.
|
||||
@@ -75,6 +77,22 @@ public class HawkbitSecurityProperties {
|
||||
* Exposed headers for CORS.
|
||||
*/
|
||||
private List<String> exposedHeaders = Collections.emptyList();
|
||||
|
||||
public CorsConfiguration toCorsConfiguration() {
|
||||
final CorsConfiguration corsConfiguration = new CorsConfiguration();
|
||||
|
||||
corsConfiguration.setAllowedOrigins(getAllowedOrigins());
|
||||
corsConfiguration.setAllowCredentials(true);
|
||||
corsConfiguration.setAllowedHeaders(getAllowedHeaders());
|
||||
corsConfiguration.setAllowedMethods(getAllowedMethods());
|
||||
corsConfiguration.setExposedHeaders(getExposedHeaders());
|
||||
return corsConfiguration;
|
||||
}
|
||||
|
||||
public CorsConfigurationSource toCorsConfigurationSource() {
|
||||
final CorsConfiguration corsConfiguration = toCorsConfiguration();
|
||||
return request -> corsConfiguration;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user