Add CORS support for DDI API (#2337)
For instance if used in remote swagger or web apps Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -27,6 +27,7 @@ import org.eclipse.hawkbit.security.controller.SecurityHeaderAuthenticator;
|
|||||||
import org.eclipse.hawkbit.security.controller.SecurityTokenAuthenticator;
|
import org.eclipse.hawkbit.security.controller.SecurityTokenAuthenticator;
|
||||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.beans.factory.annotation.Value;
|
||||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
@@ -88,17 +89,16 @@ class ControllerSecurityConfiguration {
|
|||||||
return filterRegBean;
|
return filterRegBean;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
@Order(301)
|
@Order(301)
|
||||||
protected SecurityFilterChain filterChainDDI(final HttpSecurity http) throws Exception {
|
protected SecurityFilterChain filterChainDDI(
|
||||||
|
final HttpSecurity http,
|
||||||
|
@Value("${hawkbit.server.security.cors.disableForDdiApi:false}") final boolean disableCorsForDdiApi) throws Exception {
|
||||||
http
|
http
|
||||||
.securityMatcher(DDI_ANT_MATCHERS)
|
.securityMatcher(DDI_ANT_MATCHERS)
|
||||||
.csrf(AbstractHttpConfigurer::disable);
|
.csrf(AbstractHttpConfigurer::disable);
|
||||||
|
|
||||||
if (securityProperties.isRequireSsl()) {
|
|
||||||
http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure());
|
|
||||||
}
|
|
||||||
|
|
||||||
http
|
http
|
||||||
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
.authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
|
||||||
.anonymous(AbstractHttpConfigurer::disable)
|
.anonymous(AbstractHttpConfigurer::disable)
|
||||||
@@ -119,6 +119,15 @@ class ControllerSecurityConfiguration {
|
|||||||
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
(request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
|
||||||
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
|
||||||
|
|
||||||
|
|
||||||
|
if (securityProperties.getCors().isEnabled() && !disableCorsForDdiApi) {
|
||||||
|
http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource()));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (securityProperties.isRequireSsl()) {
|
||||||
|
http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure());
|
||||||
|
}
|
||||||
|
|
||||||
MdcHandler.Filter.addMdcFilter(http);
|
MdcHandler.Filter.addMdcFilter(http);
|
||||||
|
|
||||||
return http.build();
|
return http.build();
|
||||||
|
|||||||
@@ -37,8 +37,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
|||||||
import org.springframework.security.web.SecurityFilterChain;
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
|
||||||
import org.springframework.security.web.session.SessionManagementFilter;
|
import org.springframework.security.web.session.SessionManagementFilter;
|
||||||
import org.springframework.web.cors.CorsConfiguration;
|
|
||||||
import org.springframework.web.cors.CorsConfigurationSource;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Security configuration for the REST management API.
|
* Security configuration for the REST management API.
|
||||||
@@ -110,7 +108,7 @@ public class MgmtSecurityConfiguration {
|
|||||||
SessionManagementFilter.class);
|
SessionManagementFilter.class);
|
||||||
|
|
||||||
if (securityProperties.getCors().isEnabled()) {
|
if (securityProperties.getCors().isEnabled()) {
|
||||||
http.cors(configurer -> configurer.configurationSource(corsConfigurationSource()));
|
http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource()));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (securityProperties.isRequireSsl()) {
|
if (securityProperties.isRequireSsl()) {
|
||||||
@@ -136,15 +134,4 @@ public class MgmtSecurityConfiguration {
|
|||||||
|
|
||||||
return http.build();
|
return http.build();
|
||||||
}
|
}
|
||||||
|
}
|
||||||
private CorsConfigurationSource corsConfigurationSource() {
|
|
||||||
final CorsConfiguration corsConfiguration = new CorsConfiguration();
|
|
||||||
|
|
||||||
corsConfiguration.setAllowedOrigins(securityProperties.getCors().getAllowedOrigins());
|
|
||||||
corsConfiguration.setAllowCredentials(true);
|
|
||||||
corsConfiguration.setAllowedHeaders(securityProperties.getCors().getAllowedHeaders());
|
|
||||||
corsConfiguration.setAllowedMethods(securityProperties.getCors().getAllowedMethods());
|
|
||||||
corsConfiguration.setExposedHeaders(securityProperties.getCors().getExposedHeaders());
|
|
||||||
return request -> corsConfiguration;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -15,6 +15,8 @@ import java.util.List;
|
|||||||
|
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
import org.springframework.boot.context.properties.ConfigurationProperties;
|
import org.springframework.boot.context.properties.ConfigurationProperties;
|
||||||
|
import org.springframework.web.cors.CorsConfiguration;
|
||||||
|
import org.springframework.web.cors.CorsConfigurationSource;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Security related hawkBit configuration.
|
* Security related hawkBit configuration.
|
||||||
@@ -75,6 +77,22 @@ public class HawkbitSecurityProperties {
|
|||||||
* Exposed headers for CORS.
|
* Exposed headers for CORS.
|
||||||
*/
|
*/
|
||||||
private List<String> exposedHeaders = Collections.emptyList();
|
private List<String> exposedHeaders = Collections.emptyList();
|
||||||
|
|
||||||
|
public CorsConfiguration toCorsConfiguration() {
|
||||||
|
final CorsConfiguration corsConfiguration = new CorsConfiguration();
|
||||||
|
|
||||||
|
corsConfiguration.setAllowedOrigins(getAllowedOrigins());
|
||||||
|
corsConfiguration.setAllowCredentials(true);
|
||||||
|
corsConfiguration.setAllowedHeaders(getAllowedHeaders());
|
||||||
|
corsConfiguration.setAllowedMethods(getAllowedMethods());
|
||||||
|
corsConfiguration.setExposedHeaders(getExposedHeaders());
|
||||||
|
return corsConfiguration;
|
||||||
|
}
|
||||||
|
|
||||||
|
public CorsConfigurationSource toCorsConfigurationSource() {
|
||||||
|
final CorsConfiguration corsConfiguration = toCorsConfiguration();
|
||||||
|
return request -> corsConfiguration;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
Reference in New Issue
Block a user