From cdb018b46371fc1c8098830a74b16c3115a4cc2e Mon Sep 17 00:00:00 2001 From: George Nash Date: Fri, 18 Oct 2024 17:10:25 +0100 Subject: [PATCH] removed endpoint regex from cors filter --- .../orcid/core/web/filters/CorsFilterWeb.java | 36 ++++++------------- properties/development.properties | 6 +++- 2 files changed, 15 insertions(+), 27 deletions(-) diff --git a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java index cb396d94486..2e3528fcbdd 100644 --- a/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java +++ b/orcid-core/src/main/java/org/orcid/core/web/filters/CorsFilterWeb.java @@ -16,45 +16,29 @@ import org.springframework.web.filter.OncePerRequestFilter; /** - * * @author Robert Peters (rcpeters) - * */ public class CorsFilterWeb extends OncePerRequestFilter { @Resource CrossDomainWebManger crossDomainWebManger; - - private static final String LOCALHOST_BASE_URI= "https://localhost"; - private static final String LOCALHOST_ORCID_WEB_BASE_URI = "https://localhost:8443/orcid-web"; - + @Value("${org.orcid.core.baseUri}") private String baseUri; @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - Pattern p = Pattern.compile("^/userStatus\\.json|^/oauth/userinfo|^/oauth/jwks|^/\\.well-known/openid-configuration"); - Matcher m = p.matcher(OrcidUrlManager.getPathWithoutContextPath(request)); - // Allow CORS for all paths from Angular frontend only if we are in local dev env - // All other envs allow CORS only if request path matches one of: - // userStatus.json - // /oauth/userinfo - // /oauth/jwks - // /.well-known/openid-configuration - if (baseUri.equals(LOCALHOST_BASE_URI) || baseUri.equals(LOCALHOST_ORCID_WEB_BASE_URI) || m.matches()) { - if (crossDomainWebManger.allowed(request)) { - String origin = request.getHeader("origin"); - response.addHeader("Access-Control-Allow-Origin", origin); - response.addHeader("Access-Control-Allow-Credentials", "true"); - - if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) { - // CORS "pre-flight" request - response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); - response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token"); - } + if (crossDomainWebManger.allowed(request)) { + String origin = request.getHeader("origin"); + response.addHeader("Access-Control-Allow-Origin", origin); + response.addHeader("Access-Control-Allow-Credentials", "true"); + + if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) { + // CORS "pre-flight" request + response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); + response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Authorization,x-csrf-token"); } - } filterChain.doFilter(request, response); diff --git a/properties/development.properties b/properties/development.properties index 34eae804933..13babd4c2de 100644 --- a/properties/development.properties +++ b/properties/development.properties @@ -99,7 +99,7 @@ org.orcid.core.node = 1 org.orcid.core.numberOfNodes = 1 # CORS allowed domains -org.orcid.security.cors.allowed_domains=localhost +org.orcid.security.cors.allowed_domains=dev.orcid.org # Messaging # Replace with tcp://domain.com:61616 in live to point at ActiveMQ location @@ -260,3 +260,7 @@ org.orcid.core.autospam.webhookUrl= #org.orcid.persistence.liquibase.enabled=false org.orcid.persistence.solr.read.only.url=http://localhost:8983/solr + +#Encryption +org.orcid.core.passPhraseForExternalEncryption=spAbusa3ubRase7udEpr +org.orcid.core.passPhraseForInternalEncryption=XeZa8wUkuchusp8saWaW