feat: allows to configure specific CORS headers

This closes gravitee-io/issues#160

gravitee-management-api-rest/src/main/java/io/gravitee/management/rest/resource/GraviteeApplication.java

@@ -84,7 +84,6 @@ public GraviteeApplication(AuthenticationProviderManager authenticationProviderM
 
         register(SecurityContextFilter.class);
         register(PermissionsFilter.class);
-        register(CorsResponseFilter.class);
         register(UriBuilderRequestFilter.class);
         register(ByteArrayOutputStreamWriter.class);
         register(JacksonFeature.class);

gravitee-management-api-security/src/main/java/io/gravitee/management/security/config/BasicSecurityConfigurerAdapter.java

@@ -21,7 +21,6 @@
 import io.gravitee.management.security.authentication.AuthenticationProviderManager;
 import io.gravitee.management.security.cookies.JWTCookieGenerator;
 import io.gravitee.management.security.filter.AuthenticationSuccessFilter;
-import io.gravitee.management.security.filter.CORSFilter;
 import io.gravitee.management.security.filter.JWTAuthenticationFilter;
 import io.gravitee.management.security.listener.AuthenticationSuccessListener;
 import io.gravitee.management.service.MembershipService;
@@ -39,16 +38,18 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
-import javax.servlet.Filter;
 import java.util.Collection;
 import java.util.List;
 import java.util.stream.Collectors;
 
 import static io.gravitee.management.service.common.JWTHelper.DefaultValues.DEFAULT_JWT_EXPIRE_AFTER;
 import static io.gravitee.management.service.common.JWTHelper.DefaultValues.DEFAULT_JWT_ISSUER;
+import static java.util.Arrays.asList;
 
 
 /**
@@ -123,14 +124,26 @@ public AuthenticationSuccessListener authenticationSuccessListener() {
         return new AuthenticationSuccessListener();
     }
 
-    /*
-     * TODO : fix filter order between Jersey Filter (CORSResponseFilter) and
-     * Spring Security Filter TODO : remove this filter or CORSResponseFilter
-     * when the problem will be solved
-     */
     @Bean
-    public Filter corsFilter() {
-        return new CORSFilter();
+    public CorsConfigurationSource corsConfigurationSource() {
+        final CorsConfiguration config = new CorsConfiguration();
+        config.setAllowCredentials(true);
+        config.setAllowedOrigins(getPropertiesAsList("http.cors.allow-origin", ""));
+        config.setAllowedHeaders(getPropertiesAsList("http.cors.allow-headers", "X-Requested-With"));
+        config.setAllowedMethods(getPropertiesAsList("http.cors.allow-methods", "OPTIONS, GET, POST, PUT, DELETE"));
+        config.setMaxAge(environment.getProperty("http.cors.max-age", Long.class, 1728000L));
+
+        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/**", config);
+        return source;
+    }
+
+    private List<String> getPropertiesAsList(final String propertyKey, final String defaultValue) {
+        String property = environment.getProperty(propertyKey);
+        if (property == null) {
+            property = defaultValue;
+        }
+        return asList(property.replaceAll("\\s+","").split(","));
     }
 
     @Override
@@ -210,10 +223,11 @@ protected void configure(HttpSecurity http) throws Exception {
             .and()
                 .csrf()
                     .disable()
-            .addFilterAfter(corsFilter(), AbstractPreAuthenticatedProcessingFilter.class)
-            .addFilterBefore(new JWTAuthenticationFilter(jwtCookieGenerator, jwtSecret), BasicAuthenticationFilter.class)
-            .addFilterAfter(new AuthenticationSuccessFilter(jwtCookieGenerator, jwtSecret, environment.getProperty("jwt.issuer", DEFAULT_JWT_ISSUER),
-                            environment.getProperty("jwt.expire-after", Integer.class, DEFAULT_JWT_EXPIRE_AFTER), membershipService),
-                    BasicAuthenticationFilter.class);
+                .cors()
+            .and()
+                .addFilterBefore(new JWTAuthenticationFilter(jwtCookieGenerator, jwtSecret), BasicAuthenticationFilter.class)
+                .addFilterAfter(new AuthenticationSuccessFilter(jwtCookieGenerator, jwtSecret, environment.getProperty("jwt.issuer", DEFAULT_JWT_ISSUER),
+                                environment.getProperty("jwt.expire-after", Integer.class, DEFAULT_JWT_EXPIRE_AFTER), membershipService),
+                        BasicAuthenticationFilter.class);
     }
 }

gravitee-management-api-standalone/gravitee-management-api-standalone-distribution/src/main/resources/config/gravitee.yml

@@ -30,6 +30,18 @@
 #    enabled: true
 #    path: ${gravitee.home}/logs/gravitee_accesslog_yyyy_mm_dd.log
 
+http:
+  cors:
+    # Allows to configure the header Access-Control-Allow-Origin (default value: no origins allowed)
+    # '*' is a valid value but is considered as a security risk as it will be opened to cross origin requests from anywhere.
+    allow-origin: ${GRAVITEEIO_CORS_ALLOW_ORIGIN:''}
+    # Allows to define how long the result of the preflight request should be cached for (default value; 1728000 [20 days])
+    #max-age: 864000
+    # Which methods to allow (default value: OPTIONS, GET, POST, PUT, DELETE)
+    #allow-methods: 'OPTIONS, GET, POST, PUT, DELETE'
+    # Which headers to allow (default value: X-Requested-With)
+    #allow-headers: 'X-Requested-With'
+
 # Plugins repository
 #plugins:
 #  path:
@@ -278,5 +290,5 @@ user:
   #enabled: true
 
 # Allows to rate an API (default value: false)
-#rating :
+#rating:
   #enabled: true