Merge pull request #3 from eclipse-researchlabs/add-cors-web-filter-b…

…efore-security-filters

add CorsWebFilter before spring security filters

src/main/java/com/theo/api_gateway/CorsConfig.java

@@ -1,30 +1,47 @@
-///*******************************************************************************
-// * Copyright (c) 2021 CERTH
-// *
-// * This program and the accompanying materials
-// * are made available under the terms of the Eclipse Public License 2.0
-// * which accompanies this distribution, and is available at
-// * https://www.eclipse.org/legal/epl-2.0/
-// *
-// * SPDX-License-Identifier: EPL-2.0
-// *
-// * Contributors:
-// *     theioakiti - initial API and implementation
-// *******************************************************************************/
-//package com.theo.api_gateway;
-//
-//import org.springframework.context.annotation.Configuration;
-//import org.springframework.web.reactive.config.CorsRegistry;
-//import org.springframework.web.reactive.config.WebFluxConfigurer;
-//
-//@Configuration
-//public class CorsConfig implements WebFluxConfigurer {
-//
-//    @Override
-//    public void addCorsMappings(final CorsRegistry registry) {
-//        registry.addMapping("/**")
-//                .allowedOrigins("*")
-//                .allowedMethods("*")
-//                .allowedHeaders("*");
-//    }
-//}
+/*******************************************************************************
+ * Copyright (c) 2021 CERTH
+ *
+ * This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License 2.0
+ * which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *     theioakiti - initial API and implementation
+ *******************************************************************************/
+package com.theo.api_gateway;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.reactive.CorsConfigurationSource;
+import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
+
+@Configuration
+public class CorsConfig {
+
+    /**
+     * Will ensure that a {@link org.springframework.web.cors.reactive.CorsWebFilter} is added <strong><em>before</em></strong>
+     * the Spring Security filters, so that CORS preflight requests are accepted without authentication.
+     * <p>
+     * See <a href="https://docs.spring.io/spring-security/reference/reactive/integrations/cors.html">Spring Security
+     * documentation</a>.
+     *
+     * @return {@link CorsConfigurationSource}
+     */
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        final CorsConfiguration configuration = new CorsConfiguration();
+        // TODO: use "setAllowedOriginPatterns"
+        configuration.setAllowedOrigins(List.of("*"));
+        configuration.setAllowedMethods(List.of("*"));
+        configuration.setAllowedHeaders(List.of("*"));
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
+}

src/main/resources/application.yml

@@ -12,12 +12,6 @@ spring:
           issuer-uri: https://keycloak-smartclide-che.che.smartclide.eu/auth/realms/che
   cloud:
     gateway:
-      globalcors:
-        corsConfigurations:
-          '[/**]':
-            allowedOrigins: "*"
-            allowedHeaders: "*"
-            allowedMethods: "*"
       routes:
         # MoM Rest API
         - id: mom-rest
@@ -223,4 +217,3 @@ spring:
             - Path=/petstore/**
           filters:
             - RewritePath=/petstore/?(?<segment>.*), /v2/$\{segment}
-