From b81578f918c75e96a69e41b5d02528f6d10f6679 Mon Sep 17 00:00:00 2001 From: bobcaprice Date: Wed, 30 Oct 2024 12:58:32 +0000 Subject: [PATCH] removed endpoint regex from cors filter (#7108) Co-authored-by: George Nash Co-authored-by: Angel Montenegro --- .../orcid/core/web/filters/CorsFilterWeb.java | 36 ++++++------------- properties/development.properties | 4 +-- 2 files changed, 12 insertions(+), 28 deletions(-) diff --git a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java index cb396d94486..2e3528fcbdd 100644 --- a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java +++ b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java @@ -16,45 +16,29 @@ import org.springframework.web.filter.OncePerRequestFilter; /** - * * @author Robert Peters (rcpeters) - * */ public class CorsFilterWeb extends OncePerRequestFilter { @Resource CrossDomainWebManger crossDomainWebManger; - - private static final String LOCALHOST_BASE_URI= "https://localhost"; - private static final String LOCALHOST_ORCID_WEB_BASE_URI = "https://localhost:8443/orcid-web"; - + @Value("${org.orcid.core.baseUri}") private String baseUri; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - Pattern p = Pattern.compile("^/userStatus\\.json|^/oauth/userinfo|^/oauth/jwks|^/\\.well-known/openid-configuration"); - Matcher m = p.matcher(OrcidUrlManager.getPathWithoutContextPath(request)); - // Allow CORS for all paths from Angular frontend only if we are in local dev env - // All other envs allow CORS only if request path matches one of: - // userStatus.json - // /oauth/userinfo - // /oauth/jwks - // /.well-known/openid-configuration - if (baseUri.equals(LOCALHOST_BASE_URI) || baseUri.equals(LOCALHOST_ORCID_WEB_BASE_URI) || m.matches()) { - if (crossDomainWebManger.allowed(request)) { - String origin = request.getHeader("origin"); - response.addHeader("Access-Control-Allow-Origin", origin); - response.addHeader("Access-Control-Allow-Credentials", "true"); - - if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) { - // CORS "pre-flight" request - response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); - response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token"); - } + if (crossDomainWebManger.allowed(request)) { + String origin = request.getHeader("origin"); + response.addHeader("Access-Control-Allow-Origin", origin); + response.addHeader("Access-Control-Allow-Credentials", "true"); + + if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) { + // CORS "pre-flight" request + response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); + response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token"); } - } filterChain.doFilter(request, response); diff --git a/properties/development.properties b/properties/development.properties index 9186b22ceb8..f492b78131f 100644 --- a/properties/development.properties +++ b/properties/development.properties @@ -99,7 +99,7 @@ org.orcid.core.node = 1 org.orcid.core.numberOfNodes = 1 # CORS allowed domains -org.orcid.security.cors.allowed_domains=localhost +org.orcid.security.cors.allowed_domains=dev.orcid.org # Messaging # Replace with tcp://domain.com:61616 in live to point at ActiveMQ location @@ -260,8 +260,8 @@ org.orcid.core.autospam.webhookUrl= org.orcid.persistence.liquibase.enabled=false org.orcid.persistence.solr.read.only.url=http://localhost:8983/solr - org.orcid.persistence.panoply.cleanup.production=false + # Panoply redshift database org.orcid.core.utils.panoply.driver=com.amazon.redshift.jdbc.Driver org.orcid.core.utils.panoply.maxPoolSize=20