removed endpoint regex from cors filter (#7108)

Co-authored-by: George Nash <[email protected]>
Co-authored-by: Angel Montenegro <[email protected]>

orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java

@@ -16,45 +16,29 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 
 /**
- * 
  * @author Robert Peters (rcpeters)
- * 
  */
 
 public class CorsFilterWeb extends OncePerRequestFilter {
 
     @Resource
     CrossDomainWebManger crossDomainWebManger;
-
-    private static final String LOCALHOST_BASE_URI= "https://localhost";
-    private static final String LOCALHOST_ORCID_WEB_BASE_URI = "https://localhost:8443/orcid-web";
-
+
     @Value("${org.orcid.core.baseUri}")
     private String baseUri;
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-        Pattern p = Pattern.compile("^/userStatus\\.json|^/oauth/userinfo|^/oauth/jwks|^/\\.well-known/openid-configuration");
-        Matcher m = p.matcher(OrcidUrlManager.getPathWithoutContextPath(request));
-        // Allow CORS for all paths from Angular frontend only if we are in local dev env
-        // All other envs allow CORS only if request path matches one of:
-        // userStatus.json 
-        // /oauth/userinfo
-        // /oauth/jwks
-        // /.well-known/openid-configuration
-        if (baseUri.equals(LOCALHOST_BASE_URI) || baseUri.equals(LOCALHOST_ORCID_WEB_BASE_URI) || m.matches()) {
-            if (crossDomainWebManger.allowed(request)) {
-                String origin = request.getHeader("origin");
-                response.addHeader("Access-Control-Allow-Origin", origin);
-                response.addHeader("Access-Control-Allow-Credentials", "true");
-
-                if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
-                    // CORS "pre-flight" request
-                    response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
-                    response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
-                }
+        if (crossDomainWebManger.allowed(request)) {
+            String origin = request.getHeader("origin");
+            response.addHeader("Access-Control-Allow-Origin", origin);
+            response.addHeader("Access-Control-Allow-Credentials", "true");
+
+            if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
+                // CORS "pre-flight" request
+                response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
+                response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token");
             }
-
         }
 
         filterChain.doFilter(request, response);

properties/development.properties

@@ -99,7 +99,7 @@ org.orcid.core.node = 1
 org.orcid.core.numberOfNodes = 1
 
 # CORS allowed domains
-org.orcid.security.cors.allowed_domains=localhost
+org.orcid.security.cors.allowed_domains=dev.orcid.org
 
 # Messaging
 # Replace with tcp://domain.com:61616 in live to point at ActiveMQ location
@@ -260,8 +260,8 @@ org.orcid.core.autospam.webhookUrl=
 
 org.orcid.persistence.liquibase.enabled=false
 org.orcid.persistence.solr.read.only.url=http://localhost:8983/solr
-
 org.orcid.persistence.panoply.cleanup.production=false
+
 # Panoply redshift database 
 org.orcid.core.utils.panoply.driver=com.amazon.redshift.jdbc.Driver
 org.orcid.core.utils.panoply.maxPoolSize=20