From 17f2d2f0aaf683a1d08e3cd9be2949810425d404 Mon Sep 17 00:00:00 2001
From: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Date: Wed, 19 Apr 2023 13:40:27 +0300
Subject: [PATCH] fix: cors filter should not store in local variable allowed
 origins oxAuth #1773

---
 .../org/gluu/oxauth/filter/CorsFilter.java     | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/Server/src/main/java/org/gluu/oxauth/filter/CorsFilter.java b/Server/src/main/java/org/gluu/oxauth/filter/CorsFilter.java
index b45eb0580d..17d68579d2 100644
--- a/Server/src/main/java/org/gluu/oxauth/filter/CorsFilter.java
+++ b/Server/src/main/java/org/gluu/oxauth/filter/CorsFilter.java
@@ -109,15 +109,15 @@ public void init(final FilterConfig filterConfig) throws ServletException {
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
             throws IOException, ServletException {
-        Collection<String> globalAllowedOrigins = new ArrayList<>(0);
         if (this.filterEnabled) {
             try {
-				globalAllowedOrigins = doFilterImpl(servletRequest);
+                // Set temporary client allowed origins
+                Collection<String> clientAllowedOrigins = doFilterImpl(servletRequest);
+                setContextClientAllowedOrigins(servletRequest, clientAllowedOrigins);
 			} catch (Exception ex) {
 				log.error("Failed to process request", ex);
 			}
             super.doFilter(servletRequest, servletResponse, filterChain);
-            setAllowedOrigins(globalAllowedOrigins);
         } else {
             filterChain.doFilter(servletRequest, servletResponse);
         }
@@ -125,7 +125,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
 
     protected Collection<String> doFilterImpl(ServletRequest servletRequest)
             throws UnsupportedEncodingException, IOException, ServletException {
-        Collection<String> globalAllowedOrigins = getAllowedOrigins();
+    	List<String> clientAuthorizedOrigins = null;
 
         if (StringHelper.isNotEmpty(servletRequest.getParameter("client_id"))) {
             String clientId = servletRequest.getParameter("client_id");
@@ -133,8 +133,7 @@ protected Collection<String> doFilterImpl(ServletRequest servletRequest)
             if (client != null) {
                 String[] authorizedOriginsArray = client.getAuthorizedOrigins();
                 if (authorizedOriginsArray != null && authorizedOriginsArray.length > 0) {
-                    List<String> clientAuthorizedOrigins = Arrays.asList(authorizedOriginsArray);
-                    setAllowedOrigins(clientAuthorizedOrigins);
+                    clientAuthorizedOrigins = Arrays.asList(authorizedOriginsArray);
                 }
             }
         } else {
@@ -157,15 +156,14 @@ protected Collection<String> doFilterImpl(ServletRequest servletRequest)
                     if (client != null) {
                         String[] authorizedOriginsArray = client.getAuthorizedOrigins();
                         if (authorizedOriginsArray != null && authorizedOriginsArray.length > 0) {
-                            List<String> clientAuthorizedOrigins = Arrays.asList(authorizedOriginsArray);
-                            setAllowedOrigins(clientAuthorizedOrigins);
+                            clientAuthorizedOrigins = Arrays.asList(authorizedOriginsArray);
                         }
                     }
                 }
             }
         }
-
-        return globalAllowedOrigins;
+        
+        return clientAuthorizedOrigins;
     }
 }