From 4be535d730a8de4e385b53162b94c655f98ac7c7 Mon Sep 17 00:00:00 2001 From: Ivan Yourshaw <39739503+iyourshaw@users.noreply.github.com> Date: Tue, 13 Feb 2024 23:48:31 -0700 Subject: [PATCH] permit all options --- .../us/dot/its/jpo/ode/api/CorsFilter.java | 33 +++++++++++++++++++ .../dot/its/jpo/ode/api/KeycloakConfig.java | 26 ++++++++++++--- 2 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/CorsFilter.java diff --git a/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/CorsFilter.java b/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/CorsFilter.java new file mode 100644 index 000000000..7782d272e --- /dev/null +++ b/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/CorsFilter.java @@ -0,0 +1,33 @@ +package us.dot.its.jpo.ode.api; + +import jakarta.servlet.*; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; + +import java.io.IOException; + +/** + * Custom servlet filter to add CORS header + */ +public class CorsFilter implements Filter { + @Override + public void init(FilterConfig filterConfig) throws ServletException { + // Nothing to initialize + } + + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { + var response = (HttpServletResponse)servletResponse; + var request = (HttpServletRequest)servletRequest; + response.setHeader("Access-Control-Allow-Origin", "*"); + response.setHeader("Access-Control-Allow-Methods", "OPTIONS,GET,POST,DELETE"); + response.setHeader("Access-Control-Allow-Headers", "authorization"); + response.setIntHeader("Access-Control-Max-Age", 1800); + filterChain.doFilter(servletRequest, servletResponse); + } + + @Override + public void destroy() { + // Nothing to destroy + } +} diff --git a/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/KeycloakConfig.java b/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/KeycloakConfig.java index 574571232..2d63277f8 100644 --- a/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/KeycloakConfig.java +++ b/jpo-conflictvisualizer-api/src/main/java/us/dot/its/jpo/ode/api/KeycloakConfig.java @@ -5,6 +5,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; @@ -14,6 +15,7 @@ import org.springframework.security.oauth2.core.AuthenticationMethod; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.session.SessionManagementFilter; import static org.springframework.security.config.Customizer.withDefaults; @@ -56,7 +58,10 @@ public ClientRegistrationRepository clientRepository() { private ClientRegistration keycloakClientRegistration() { - return ClientRegistration + + + + var registration = ClientRegistration .withRegistrationId(realm) .clientId(resource) .clientSecret(clientSecret) @@ -68,8 +73,18 @@ private ClientRegistration keycloakClientRegistration() { .userInfoUri(authServer + "/realms/" + realm + "/protocol/openid-connect/userinfo") .userInfoAuthenticationMethod(AuthenticationMethod.HEADER) .build(); + + System.out.println("Client Registration"); + System.out.println(registration); + + return registration; + } + @Bean + CorsFilter corsFilter() { + return new CorsFilter(); + } @Bean @@ -78,11 +93,12 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws System.out.println("Running with KeyCloak Authentication"); return httpSecurity - .cors(AbstractHttpConfigurer::disable) + .addFilterBefore(corsFilter(), SessionManagementFilter.class) .csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(request -> { - request.requestMatchers("/**").permitAll(); - request.anyRequest().fullyAuthenticated(); + //request.requestMatchers("/**").permitAll(); + request.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll(); // Allow CORS preflight to fail + request.anyRequest().authenticated(); } ) .oauth2Client(withDefaults()) @@ -90,7 +106,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws }else{ System.out.println("Running without KeyCloak Authentication"); return httpSecurity - .cors(AbstractHttpConfigurer::disable) + .addFilterBefore(corsFilter(), SessionManagementFilter.class) .csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests( request -> request.anyRequest().permitAll()