[#13] Throw error when allowed origins are not configured

kbss-cvut · Nov 22, 2023 · c653f33 · c653f33
1 parent 42ff464
commit c653f33
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
@@ -113,10 +113,19 @@ private static void configureAllowedOrigins(CorsConfiguration corsConfig, Config
         final List<String> allowedOrigins = new ArrayList<>();
         appUrlOrigin.ifPresent(allowedOrigins::add);
         final String allowedOriginsConfig = config.getConfig(ConfigParam.CORS_ALLOWED_ORIGINS);
-        allowedOrigins.addAll(Arrays.asList(allowedOriginsConfig.split(",")));
+        Arrays.stream(allowedOriginsConfig.split(",")).filter(s -> !s.isBlank()).forEach(allowedOrigins::add);
         if (!allowedOrigins.isEmpty()) {
             corsConfig.setAllowedOrigins(allowedOrigins);
             corsConfig.setAllowCredentials(true);
+        } else {
+            throw new RecordManagerException(String.format(
+                "The allowed origins are improperly configured as both"
+                    + " the '%s' and '%s' properties are empty. To permit requests from any origin,"
+                    + " configure it explicitly using '%s=*'.",
+                ConfigParam.APP_CONTEXT,
+                ConfigParam.CORS_ALLOWED_ORIGINS,
+                ConfigParam.CORS_ALLOWED_ORIGINS
+            ));
         }
     }
 

diff --git a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java
@@ -1,5 +1,6 @@
 package cz.cvut.kbss.study.config;
 
+import cz.cvut.kbss.study.exception.RecordManagerException;
 import cz.cvut.kbss.study.service.ConfigReader;
 import cz.cvut.kbss.study.util.ConfigParam;
 import org.junit.jupiter.api.Test;
@@ -11,6 +12,7 @@
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasItems;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 class SecurityConfigTest {
 
@@ -55,4 +57,14 @@ void createCorsConfigurationSupportsMultipleConfiguredAllowedOrigins() {
         assertThat(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins(),
                    hasItems(originOne, originTwo, originThree));
     }
+
+    @Test
+    void createCorsConfigurationThrowsRecordManagerExceptionWhenAppContextAndAllowedOriginsAreNotSet() {
+        environment.setProperty(ConfigParam.APP_CONTEXT.toString(), "");
+        environment.setProperty(ConfigParam.CORS_ALLOWED_ORIGINS.toString(),"");
+
+        assertThrows(RecordManagerException.class, () -> {
+            SecurityConfig.createCorsConfiguration(config);
+        });
+    }
 }