diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java index cf7179d0c..b75e497ef 100644 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java +++ b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java @@ -27,6 +27,7 @@ import org.eclipse.hawkbit.security.controller.SecurityHeaderAuthenticator; import org.eclipse.hawkbit.security.controller.SecurityTokenAuthenticator; import org.eclipse.hawkbit.tenancy.TenantAware; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; @@ -88,17 +89,16 @@ class ControllerSecurityConfiguration { return filterRegBean; } + @Bean @Order(301) - protected SecurityFilterChain filterChainDDI(final HttpSecurity http) throws Exception { + protected SecurityFilterChain filterChainDDI( + final HttpSecurity http, + @Value("${hawkbit.server.security.cors.disableForDdiApi:false}") final boolean disableCorsForDdiApi) throws Exception { http .securityMatcher(DDI_ANT_MATCHERS) .csrf(AbstractHttpConfigurer::disable); - if (securityProperties.isRequireSsl()) { - http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure()); - } - http .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) .anonymous(AbstractHttpConfigurer::disable) @@ -119,6 +119,15 @@ class ControllerSecurityConfiguration { (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()))) .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); + + if (securityProperties.getCors().isEnabled() && !disableCorsForDdiApi) { + http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource())); + } + + if (securityProperties.isRequireSsl()) { + http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure()); + } + MdcHandler.Filter.addMdcFilter(http); return http.build(); diff --git a/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java b/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java index 80e4f89c7..3156a4fad 100644 --- a/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java +++ b/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java @@ -37,8 +37,6 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint; import org.springframework.security.web.session.SessionManagementFilter; -import org.springframework.web.cors.CorsConfiguration; -import org.springframework.web.cors.CorsConfigurationSource; /** * Security configuration for the REST management API. @@ -110,7 +108,7 @@ public class MgmtSecurityConfiguration { SessionManagementFilter.class); if (securityProperties.getCors().isEnabled()) { - http.cors(configurer -> configurer.configurationSource(corsConfigurationSource())); + http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource())); } if (securityProperties.isRequireSsl()) { @@ -136,15 +134,4 @@ public class MgmtSecurityConfiguration { return http.build(); } - - private CorsConfigurationSource corsConfigurationSource() { - final CorsConfiguration corsConfiguration = new CorsConfiguration(); - - corsConfiguration.setAllowedOrigins(securityProperties.getCors().getAllowedOrigins()); - corsConfiguration.setAllowCredentials(true); - corsConfiguration.setAllowedHeaders(securityProperties.getCors().getAllowedHeaders()); - corsConfiguration.setAllowedMethods(securityProperties.getCors().getAllowedMethods()); - corsConfiguration.setExposedHeaders(securityProperties.getCors().getExposedHeaders()); - return request -> corsConfiguration; - } -} +} \ No newline at end of file diff --git a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java index 4813d63a2..5286f1cff 100644 --- a/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java +++ b/hawkbit-security-core/src/main/java/org/eclipse/hawkbit/security/HawkbitSecurityProperties.java @@ -15,6 +15,8 @@ import java.util.List; import lombok.Data; import org.springframework.boot.context.properties.ConfigurationProperties; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; /** * Security related hawkBit configuration. @@ -75,6 +77,22 @@ public class HawkbitSecurityProperties { * Exposed headers for CORS. */ private List exposedHeaders = Collections.emptyList(); + + public CorsConfiguration toCorsConfiguration() { + final CorsConfiguration corsConfiguration = new CorsConfiguration(); + + corsConfiguration.setAllowedOrigins(getAllowedOrigins()); + corsConfiguration.setAllowCredentials(true); + corsConfiguration.setAllowedHeaders(getAllowedHeaders()); + corsConfiguration.setAllowedMethods(getAllowedMethods()); + corsConfiguration.setExposedHeaders(getExposedHeaders()); + return corsConfiguration; + } + + public CorsConfigurationSource toCorsConfigurationSource() { + final CorsConfiguration corsConfiguration = toCorsConfiguration(); + return request -> corsConfiguration; + } } /**