Skip to content

Commit

Permalink
Fixed CORS filtering fail causing print of stacktrace
Browse files Browse the repository at this point in the history
Signed-off-by: Alberto Codutti <alberto.codutti@eurotech.com>
  • Loading branch information
Coduz committed Apr 15, 2021
1 parent cfdf0f4 commit 59765c8
Showing 1 changed file with 18 additions and 14 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ public void init(FilterConfig filterConfig) {
logger.info("Initializing with FilterConfig: {}", filterConfig);
int intervalSecs = KapuaApiSetting.getInstance().getInt(KapuaApiSettingKeys.API_CORS_REFRESH_INTERVAL, 60);
initRefreshThread(intervalSecs);
logger.info("Initializing with FilterConfig: {}... DONE!", filterConfig);
}

@Override
Expand All @@ -100,27 +101,28 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET, POST, DELETE, PUT");
httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "X-Requested-With, Content-Type, Authorization");

if (httpRequest.getMethod().equals("OPTIONS") || KapuaSecurityUtils.getSession() == null) {
// Preflight request, or session not yet established (Authentication)
if (checkOrigin(origin, null)) {
// Origin matches at least one defined Endpoint
httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
httpResponse.addHeader("Vary", HttpHeaders.ORIGIN);
} else {
throw new ServletException(String.format("HTTP Origin not allowed: %s", origin));
}
} else {
// Actual request
if (checkOrigin(origin, KapuaSecurityUtils.getSession().getScopeId())) {
// Depending on the type of the request the KapuaSession might not yet be present.
// For preflight request or session not yet established the KapuaSession will be null.
// For the actual request it will be available and we will check the CORS according to the scope.
KapuaId scopeId = KapuaSecurityUtils.getSession() != null ? KapuaSecurityUtils.getSession().getScopeId() : null;

if (httpRequest.getMethod().equals("OPTIONS")) {
if (checkOrigin(origin, scopeId)) {
// Origin matches at least one defined Endpoint
httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
httpResponse.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
httpResponse.addHeader("Vary", HttpHeaders.ORIGIN);
} else {
throw new ServletException(String.format("HTTP Origin not allowed: %s", origin));
String msg = scopeId != null ?
String.format("HTTP Origin not allowed: %s for scope: %s", origin, scopeId.toCompactId()) :
String.format("HTTP Origin not allowed: %s", origin);

logger.error(msg);
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, msg);
return;
}
}

chain.doFilter(request, response);
}

Expand All @@ -129,6 +131,7 @@ private String getExplicitOrigin(String origin) throws MalformedURLException {
if (originUrl.getPort() != -1) {
return origin;
}

switch (originUrl.getProtocol()) {
case "http":
return origin + ":80";
Expand All @@ -146,6 +149,7 @@ private boolean checkOrigin(String origin, KapuaId scopeId) {
} catch (MalformedURLException malformedURLException) {
return false;
}

if (scopeId == null) {
// No scopeId, so the call is no authenticated. Return true only if origin
// is enabled in any account or system settings
Expand Down

0 comments on commit 59765c8

Please sign in to comment.