chore: update cors config

Informasjonsforvaltning · Jan 8, 2025 · a684d45 · a684d45
1 parent 59917ab
commit a684d45
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 2 deletions.
diff --git a/deploy/demo/env.yaml b/deploy/demo/env.yaml
@@ -71,3 +71,5 @@ spec:
               secretKeyRef:
                 name: commonurl-demo
                 key: CATALOG_STORE_HOST
+          - name: CORS_ORIGIN_PATTERNS
+            value: https://*.demo.fellesdatakatalog.digdir.no
diff --git a/deploy/prod/env.yaml b/deploy/prod/env.yaml
@@ -71,3 +71,5 @@ spec:
               secretKeyRef:
                 name: commonurl-prod
                 key: CATALOG_STORE_HOST
+          - name: CORS_ORIGIN_PATTERNS
+            value: https://*.fellesdatakatalog.digdir.no
diff --git a/deploy/staging/env.yaml b/deploy/staging/env.yaml
@@ -71,3 +71,5 @@ spec:
               secretKeyRef:
                 name: commonurl-staging
                 key: CATALOG_STORE_HOST
+          - name: CORS_ORIGIN_PATTERNS
+            value: https://*.staging.fellesdatakatalog.digdir.no,http://localhost:*
diff --git a/src/main/kotlin/no/fdk/concept_catalog/security/SecurityConfig.kt b/src/main/kotlin/no/fdk/concept_catalog/security/SecurityConfig.kt
@@ -2,6 +2,7 @@ package no.fdk.concept_catalog.security
 
 import jakarta.servlet.http.HttpServletRequest
 import org.apache.jena.riot.Lang
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
@@ -12,15 +13,30 @@ import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator
 import org.springframework.security.oauth2.jwt.*
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.util.matcher.RequestMatcher
+import org.springframework.web.cors.CorsConfiguration
+import org.springframework.web.cors.CorsConfigurationSource
 
 @Configuration
-open class SecurityConfig {
+open class SecurityConfig(
+    @Value("\${application.cors.originPatterns}")
+    val corsOriginPatterns: Array<String>
+) {
 
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
         http {
             csrf { disable() }
-            cors { }
+            cors {
+                configurationSource = CorsConfigurationSource {
+                    val config = CorsConfiguration()
+                    config.allowCredentials = false
+                    config.allowedHeaders = listOf("*")
+                    config.maxAge = 3600L
+                    config.allowedOriginPatterns = corsOriginPatterns.toList()
+                    config.allowedMethods = listOf("GET", "POST", "OPTIONS", "DELETE", "PATCH")
+                    config
+                }
+            }
             oauth2ResourceServer { jwt { } }
             authorizeHttpRequests {
                 authorize(RDFMatcher(), permitAll)

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -34,6 +34,7 @@ application:
   collectionBaseUri: ${COLLECTION_BASE_URI:https://concept-catalog.fellesdatakatalog.digdir.no}
   historyServiceUri: ${CATALOG_HISTORY_SERVICE_URI:http://localhost:9090}
   adminServiceUri: ${CATALOG_ADMIN_SERVICE_URI:https://catalog-admin-service.fellesdatakatalog.digdir.no}
+  cors.originPatterns: "${CORS_ORIGIN_PATTERNS}"
 
 ---
 spring:
@@ -45,6 +46,7 @@ spring:
     username: elastic
     password: elasticpwd
     uris: http://localhost:9200
+application.cors.originPatterns: "*"
 
 ---
 spring:
@@ -55,3 +57,4 @@ spring:
     password: elasticpwd
 application:
   historyServiceUri: http://localhost:6000
+  cors.originPatterns: "*"