diff --git a/deploy/demo/env.yaml b/deploy/demo/env.yaml index ced9e1b..db660c3 100644 --- a/deploy/demo/env.yaml +++ b/deploy/demo/env.yaml @@ -76,3 +76,5 @@ spec: secretKeyRef: name: commonurl-demo key: DATASET_CATALOG_BASE_URI + - name: CORS_ORIGIN_PATTERNS + value: https://*.demo.fellesdatakatalog.digdir.no diff --git a/deploy/prod/env.yaml b/deploy/prod/env.yaml index 358a918..f0f9601 100644 --- a/deploy/prod/env.yaml +++ b/deploy/prod/env.yaml @@ -76,3 +76,5 @@ spec: secretKeyRef: name: commonurl-prod key: DATASET_CATALOG_BASE_URI + - name: CORS_ORIGIN_PATTERNS + value: https://*.fellesdatakatalog.digdir.no diff --git a/deploy/staging/env.yaml b/deploy/staging/env.yaml index f92ca37..70de417 100644 --- a/deploy/staging/env.yaml +++ b/deploy/staging/env.yaml @@ -76,3 +76,5 @@ spec: secretKeyRef: name: commonurl-staging key: DATASET_CATALOG_BASE_URI + - name: CORS_ORIGIN_PATTERNS + value: https://*.staging.fellesdatakatalog.digdir.no,http://localhost:* diff --git a/src/main/kotlin/no/fdk/dataset_catalog/configuration/SecurityProperties.kt b/src/main/kotlin/no/fdk/dataset_catalog/configuration/SecurityProperties.kt index 5d36743..d25f6b7 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/configuration/SecurityProperties.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/configuration/SecurityProperties.kt @@ -4,5 +4,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties @ConfigurationProperties("security") data class SecurityProperties( - val fdkIssuer: String -) \ No newline at end of file + val fdkIssuer: String, + val corsOriginPatterns: List +) diff --git a/src/main/kotlin/no/fdk/dataset_catalog/controller/ApplicationStatusController.kt b/src/main/kotlin/no/fdk/dataset_catalog/controller/ApplicationStatusController.kt index 28e312e..34ffb7f 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/controller/ApplicationStatusController.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/controller/ApplicationStatusController.kt @@ -3,12 +3,10 @@ package no.fdk.dataset_catalog.controller import no.fdk.dataset_catalog.service.DatasetService import org.springframework.http.HttpStatus import org.springframework.http.ResponseEntity -import org.springframework.web.bind.annotation.CrossOrigin import org.springframework.web.bind.annotation.GetMapping import org.springframework.web.bind.annotation.RestController @RestController -@CrossOrigin class ApplicationStatusController(private val datasetService: DatasetService) { @GetMapping("/ping") diff --git a/src/main/kotlin/no/fdk/dataset_catalog/controller/CatalogController.kt b/src/main/kotlin/no/fdk/dataset_catalog/controller/CatalogController.kt index 6d4fa66..081bdbc 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/controller/CatalogController.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/controller/CatalogController.kt @@ -15,7 +15,6 @@ import org.springframework.web.bind.annotation.* private val logger = LoggerFactory.getLogger(CatalogController::class.java) @RestController -@CrossOrigin @RequestMapping(value = ["/catalogs"]) class CatalogController( private val catalogService: CatalogService, diff --git a/src/main/kotlin/no/fdk/dataset_catalog/controller/DatasetController.kt b/src/main/kotlin/no/fdk/dataset_catalog/controller/DatasetController.kt index e281f49..63d588a 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/controller/DatasetController.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/controller/DatasetController.kt @@ -17,7 +17,6 @@ import org.springframework.web.bind.annotation.* private val logger = LoggerFactory.getLogger(DatasetController::class.java) @RestController -@CrossOrigin @RequestMapping(value = ["/catalogs/{catalogId}/datasets"]) class DatasetController( private val datasetService: DatasetService, diff --git a/src/main/kotlin/no/fdk/dataset_catalog/controller/RDFController.kt b/src/main/kotlin/no/fdk/dataset_catalog/controller/RDFController.kt index 7922c1b..91e409a 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/controller/RDFController.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/controller/RDFController.kt @@ -8,7 +8,6 @@ import org.springframework.http.ResponseEntity import org.springframework.web.bind.annotation.* @RestController -@CrossOrigin @RequestMapping( value = ["/catalogs"], produces = ["text/turtle", "text/n3", "application/rdf+json", "application/ld+json", "application/rdf+xml", diff --git a/src/main/kotlin/no/fdk/dataset_catalog/controller/SearchController.kt b/src/main/kotlin/no/fdk/dataset_catalog/controller/SearchController.kt index 7876cd1..9a5c15b 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/controller/SearchController.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/controller/SearchController.kt @@ -14,7 +14,6 @@ import org.springframework.web.bind.annotation.* private val logger = LoggerFactory.getLogger(SearchController::class.java) @RestController -@CrossOrigin @RequestMapping(value = ["/search"]) class SearchController ( private val searchService: SearchService) { @@ -36,4 +35,3 @@ class SearchController ( ResponseEntity(HttpStatus.BAD_REQUEST) } } - diff --git a/src/main/kotlin/no/fdk/dataset_catalog/security/SecurityConfig.kt b/src/main/kotlin/no/fdk/dataset_catalog/security/SecurityConfig.kt index 3217080..f3d8cd2 100644 --- a/src/main/kotlin/no/fdk/dataset_catalog/security/SecurityConfig.kt +++ b/src/main/kotlin/no/fdk/dataset_catalog/security/SecurityConfig.kt @@ -12,6 +12,7 @@ import org.springframework.security.oauth2.jwt.* import org.springframework.security.web.SecurityFilterChain import org.springframework.security.web.util.matcher.RequestMatcher import jakarta.servlet.http.HttpServletRequest +import org.springframework.web.cors.CorsConfiguration @Configuration open class SecurityConfig( @@ -20,15 +21,27 @@ open class SecurityConfig( @Bean open fun filterChain(http: HttpSecurity): SecurityFilterChain { - http.csrf().disable() - .cors().and() + http + .cors { cors -> + cors.configurationSource { _ -> + val config = CorsConfiguration() + config.allowCredentials = false + config.allowedHeaders = listOf("*") + config.maxAge = 3600L + config.allowedOriginPatterns = securityProperties.corsOriginPatterns + config.allowedMethods = listOf("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH") + + config + } + } + .csrf { it.disable() } .authorizeHttpRequests{ authorize -> authorize.requestMatchers(RDFMatcher()).permitAll() .requestMatchers(HttpMethod.OPTIONS).permitAll() .requestMatchers(HttpMethod.GET,"/ping").permitAll() .requestMatchers(HttpMethod.GET,"/ready").permitAll() .anyRequest().authenticated() } - .oauth2ResourceServer { resourceServer -> resourceServer.jwt() } + .oauth2ResourceServer { resourceServer -> resourceServer.jwt { } } return http.build() } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 4ac2649..b493287 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -35,6 +35,7 @@ application: exchangeName: harvests security: fdkIssuer: ${OIDC_ISSUER:https://sso.staging.fellesdatakatalog.digdir.no/auth/realms/fdk} + corsOriginPatterns: "${CORS_ORIGIN_PATTERNS}" --- spring: @@ -53,6 +54,7 @@ application: catalogHarvestRoute: dataset.publisher.HarvestTrigger newDataSourceRoute: dataset.publisher.NewDataSource exchangeName: harvests +security.corsOriginPatterns: "*" --- spring: @@ -67,3 +69,4 @@ application: catalogHarvestRoute: dataset.publisher.HarvestTrigger newDataSourceRoute: dataset.publisher.NewDataSource exchangeName: harvests +security.corsOriginPatterns: "*"