permit all options

CDOT-CV · Feb 14, 2024 · 4be535d · 4be535d
1 parent f052ade
commit 4be535d
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 5 deletions.
diff --git a/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/CorsFilter.java b/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/CorsFilter.java
@@ -0,0 +1,33 @@
+package us.dot.its.jpo.ode.api;
+
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+
+/**
+ * Custom servlet filter to add CORS header
+ */
+public class CorsFilter implements Filter {
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        // Nothing to initialize
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        var response = (HttpServletResponse)servletResponse;
+        var request = (HttpServletRequest)servletRequest;
+        response.setHeader("Access-Control-Allow-Origin", "*");
+        response.setHeader("Access-Control-Allow-Methods", "OPTIONS,GET,POST,DELETE");
+        response.setHeader("Access-Control-Allow-Headers", "authorization");
+        response.setIntHeader("Access-Control-Max-Age", 1800);
+        filterChain.doFilter(servletRequest, servletResponse);
+    }
+
+    @Override
+    public void destroy() {
+        // Nothing to destroy
+    }
+}
diff --git a/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/KeycloakConfig.java b/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/KeycloakConfig.java
@@ -5,6 +5,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -14,6 +15,7 @@
 import org.springframework.security.oauth2.core.AuthenticationMethod;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.session.SessionManagementFilter;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -56,7 +58,10 @@ public ClientRegistrationRepository clientRepository() {
 
     private ClientRegistration keycloakClientRegistration() {
 
-        return ClientRegistration
+
+
+
+        var registration = ClientRegistration
                 .withRegistrationId(realm)
                 .clientId(resource)
                 .clientSecret(clientSecret)
@@ -68,8 +73,18 @@ private ClientRegistration keycloakClientRegistration() {
                 .userInfoUri(authServer + "/realms/" + realm + "/protocol/openid-connect/userinfo")
                 .userInfoAuthenticationMethod(AuthenticationMethod.HEADER)
                 .build();
+
+        System.out.println("Client Registration");
+        System.out.println(registration);
+
+        return registration;
+
     }
 
+    @Bean
+    CorsFilter corsFilter() {
+        return new CorsFilter();
+    }
 
 
     @Bean
@@ -78,19 +93,20 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws
             System.out.println("Running with KeyCloak Authentication");
 
             return httpSecurity
-                    .cors(AbstractHttpConfigurer::disable)
+                    .addFilterBefore(corsFilter(), SessionManagementFilter.class)
                     .csrf(AbstractHttpConfigurer::disable)
                     .authorizeHttpRequests(request -> {
-                                request.requestMatchers("/**").permitAll();
-                                request.anyRequest().fullyAuthenticated();
+                                //request.requestMatchers("/**").permitAll();
+                                request.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll(); // Allow CORS preflight to fail
+                                request.anyRequest().authenticated();
                             }
                     )
                     .oauth2Client(withDefaults())
                     .build();
         }else{
             System.out.println("Running without KeyCloak Authentication");
             return httpSecurity
-                    .cors(AbstractHttpConfigurer::disable)
+                    .addFilterBefore(corsFilter(), SessionManagementFilter.class)
                     .csrf(AbstractHttpConfigurer::disable)
                     .authorizeHttpRequests(
                         request -> request.anyRequest().permitAll()