From c653f33374c84c5dbd580f64cef079f49044468d Mon Sep 17 00:00:00 2001 From: Miroslav Blasko Date: Wed, 22 Nov 2023 23:55:15 +0100 Subject: [PATCH] [#13] Throw error when allowed origins are not configured --- .../cz/cvut/kbss/study/config/SecurityConfig.java | 11 ++++++++++- .../cvut/kbss/study/config/SecurityConfigTest.java | 12 ++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java index 72ce871d..55f9bf94 100644 --- a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java +++ b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java @@ -113,10 +113,19 @@ private static void configureAllowedOrigins(CorsConfiguration corsConfig, Config final List allowedOrigins = new ArrayList<>(); appUrlOrigin.ifPresent(allowedOrigins::add); final String allowedOriginsConfig = config.getConfig(ConfigParam.CORS_ALLOWED_ORIGINS); - allowedOrigins.addAll(Arrays.asList(allowedOriginsConfig.split(","))); + Arrays.stream(allowedOriginsConfig.split(",")).filter(s -> !s.isBlank()).forEach(allowedOrigins::add); if (!allowedOrigins.isEmpty()) { corsConfig.setAllowedOrigins(allowedOrigins); corsConfig.setAllowCredentials(true); + } else { + throw new RecordManagerException(String.format( + "The allowed origins are improperly configured as both" + + " the '%s' and '%s' properties are empty. To permit requests from any origin," + + " configure it explicitly using '%s=*'.", + ConfigParam.APP_CONTEXT, + ConfigParam.CORS_ALLOWED_ORIGINS, + ConfigParam.CORS_ALLOWED_ORIGINS + )); } } diff --git a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java index 795da311..be91719a 100644 --- a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java +++ b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java @@ -1,5 +1,6 @@ package cz.cvut.kbss.study.config; +import cz.cvut.kbss.study.exception.RecordManagerException; import cz.cvut.kbss.study.service.ConfigReader; import cz.cvut.kbss.study.util.ConfigParam; import org.junit.jupiter.api.Test; @@ -11,6 +12,7 @@ import static org.hamcrest.Matchers.hasItem; import static org.hamcrest.Matchers.hasItems; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; class SecurityConfigTest { @@ -55,4 +57,14 @@ void createCorsConfigurationSupportsMultipleConfiguredAllowedOrigins() { assertThat(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins(), hasItems(originOne, originTwo, originThree)); } + + @Test + void createCorsConfigurationThrowsRecordManagerExceptionWhenAppContextAndAllowedOriginsAreNotSet() { + environment.setProperty(ConfigParam.APP_CONTEXT.toString(), ""); + environment.setProperty(ConfigParam.CORS_ALLOWED_ORIGINS.toString(),""); + + assertThrows(RecordManagerException.class, () -> { + SecurityConfig.createCorsConfiguration(config); + }); + } } \ No newline at end of file