Enable wildcard in CORS spring security + webFlux
I have spring security + CORS enable into a project that is made with spring webFlux. My problem here is that we accept for example requests from: http://localhost:4200. How I can make that CORS will accept reqs from http://*.localhost:4200 like http://a.localhost:4200, http://b.localhost:4200 ?
My CORS config looks like:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(corsConfigData.getAllowedOrigins());
config.setAllowedHeaders(corsConfigData.getAllowedHeaders());
config.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
Do you have any ideas ???
spring-boot spring-security spring-webflux
asked Nov 21 '18 at 12:36
brebDev
1318
add a comment |
I have spring security + CORS enable into a project that is made with spring webFlux. My problem here is that we accept for example requests from: http://localhost:4200. How I can make that CORS will accept reqs from http://*.localhost:4200 like http://a.localhost:4200, http://b.localhost:4200 ?
My CORS config looks like:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(corsConfigData.getAllowedOrigins());
config.setAllowedHeaders(corsConfigData.getAllowedHeaders());
config.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
Do you have any ideas ???
spring-boot spring-security spring-webflux
asked Nov 21 '18 at 12:36
brebDev
1318
add a comment |
I have spring security + CORS enable into a project that is made with spring webFlux. My problem here is that we accept for example requests from: http://localhost:4200. How I can make that CORS will accept reqs from http://*.localhost:4200 like http://a.localhost:4200, http://b.localhost:4200 ?
My CORS config looks like:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(corsConfigData.getAllowedOrigins());
config.setAllowedHeaders(corsConfigData.getAllowedHeaders());
config.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
Do you have any ideas ???
spring-boot spring-security spring-webflux
asked Nov 21 '18 at 12:36
brebDev
1318
I have spring security + CORS enable into a project that is made with spring webFlux. My problem here is that we accept for example requests from: http://localhost:4200. How I can make that CORS will accept reqs from http://*.localhost:4200 like http://a.localhost:4200, http://b.localhost:4200 ?
My CORS config looks like:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(corsConfigData.getAllowedOrigins());
config.setAllowedHeaders(corsConfigData.getAllowedHeaders());
config.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", config);
return new CorsWebFilter(source);
}
Do you have any ideas ???
spring-boot spring-security spring-webflux
spring-boot spring-security spring-webflux
asked Nov 21 '18 at 12:36
brebDev
1318
asked Nov 21 '18 at 12:36
brebDev
1318
asked Nov 21 '18 at 12:36
brebDev
1318
asked Nov 21 '18 at 12:36
brebDev
1318
asked Nov 21 '18 at 12:36
brebDev
1318
1318
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I think, as indicated in responses to this question, the CORS specification doesn't allow for wildcarding a subdomain. Specifically see https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
You could follow their advice on that answer and move the processing into some middleware layer like NGINX or Apache which could set the CORS header dynamically based on the domain in the request, or specify all the the subdomains you'd want in the spring boot config if that doesn't total into an unmanageable amount.
Although, in the first part of your question you state that you accept requests from http://localhost:4200., this shouldn't be a problem if you don't need subdomains then you can just explicitly whitelist that one domain, or did I misunderstand?
answered Nov 21 '18 at 13:37
David Goate
1,06021533
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
I see, I think the main point is that you can't use a header value ofhttp://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.
– David Goate
Nov 21 '18 at 14:02
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
add a comment |
I think I found a solution that works. That simply means creating a custom CorsConfiguration, overriding the checkOrigin method and create a custom matcher that will interpret http://*.localhost:4200 correctly. The code looks like this:
public class RegexCorsConfiguration extends CorsConfiguration {
private List<String> allowedOriginsRegexes = new ArrayList<>();
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, possibly {@code null} which
* means the request origin is not allowed
*/
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (this.allowedOriginsRegexes.isEmpty()) {
return null;
}
if (this.allowedOriginsRegexes.contains(ALL)) {
if (getAllowCredentials() != Boolean.TRUE) {
return ALL;
} else {
return requestOrigin;
}
}
for (String allowedOriginRegex : this.allowedOriginsRegexes) {
if (createMatcher(requestOrigin, allowedOriginRegex).matches()) {
return requestOrigin;
}
}
return null;
}
public void setAllowedOriginRegex(List<String> allowedOriginsRegexes) {
this.allowedOriginsRegexes = allowedOriginsRegexes;
}
private Matcher createMatcher(String origin, String allowedOrigin) {
String regex = this.parseAllowedWildcardOriginToRegex(allowedOrigin);
Pattern pattern = Pattern.compile(regex);
return pattern.matcher(origin);
}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin) {
String regex = allowedOrigin.replace(".", "\.");
return regex.replace("*", ".*");
}}
and of course, inject corsConfig from configuration classes like this:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
RegexCorsConfiguration regexCorsConfiguration = new RegexCorsConfiguration();
regexCorsConfiguration.setAllowCredentials(true);
regexCorsConfiguration.setAllowedOriginRegex(corsConfigData.getAllowedOrigins());
regexCorsConfiguration.setAllowedHeaders(corsConfigData.getAllowedHeaders());
regexCorsConfiguration.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", regexCorsConfiguration);
return new CorsWebFilter(source);
}
answered Nov 22 '18 at 14:54
brebDev
1318
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53412178%2fenable-wildcard-in-cors-spring-security-webflux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think, as indicated in responses to this question, the CORS specification doesn't allow for wildcarding a subdomain. Specifically see https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
You could follow their advice on that answer and move the processing into some middleware layer like NGINX or Apache which could set the CORS header dynamically based on the domain in the request, or specify all the the subdomains you'd want in the spring boot config if that doesn't total into an unmanageable amount.
Although, in the first part of your question you state that you accept requests from http://localhost:4200., this shouldn't be a problem if you don't need subdomains then you can just explicitly whitelist that one domain, or did I misunderstand?
answered Nov 21 '18 at 13:37
David Goate
1,06021533
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
I see, I think the main point is that you can't use a header value ofhttp://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.
– David Goate
Nov 21 '18 at 14:02
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
add a comment |
I think, as indicated in responses to this question, the CORS specification doesn't allow for wildcarding a subdomain. Specifically see https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
You could follow their advice on that answer and move the processing into some middleware layer like NGINX or Apache which could set the CORS header dynamically based on the domain in the request, or specify all the the subdomains you'd want in the spring boot config if that doesn't total into an unmanageable amount.
Although, in the first part of your question you state that you accept requests from http://localhost:4200., this shouldn't be a problem if you don't need subdomains then you can just explicitly whitelist that one domain, or did I misunderstand?
answered Nov 21 '18 at 13:37
David Goate
1,06021533
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
I see, I think the main point is that you can't use a header value ofhttp://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.
– David Goate
Nov 21 '18 at 14:02
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
add a comment |
I think, as indicated in responses to this question, the CORS specification doesn't allow for wildcarding a subdomain. Specifically see https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
You could follow their advice on that answer and move the processing into some middleware layer like NGINX or Apache which could set the CORS header dynamically based on the domain in the request, or specify all the the subdomains you'd want in the spring boot config if that doesn't total into an unmanageable amount.
Although, in the first part of your question you state that you accept requests from http://localhost:4200., this shouldn't be a problem if you don't need subdomains then you can just explicitly whitelist that one domain, or did I misunderstand?
answered Nov 21 '18 at 13:37
David Goate
1,06021533
I think, as indicated in responses to this question, the CORS specification doesn't allow for wildcarding a subdomain. Specifically see https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
You could follow their advice on that answer and move the processing into some middleware layer like NGINX or Apache which could set the CORS header dynamically based on the domain in the request, or specify all the the subdomains you'd want in the spring boot config if that doesn't total into an unmanageable amount.
Although, in the first part of your question you state that you accept requests from http://localhost:4200., this shouldn't be a problem if you don't need subdomains then you can just explicitly whitelist that one domain, or did I misunderstand?
answered Nov 21 '18 at 13:37
David Goate
1,06021533
edited Nov 21 '18 at 13:45
answered Nov 21 '18 at 13:37
David Goate
1,06021533
answered Nov 21 '18 at 13:37
David Goate
1,06021533
answered Nov 21 '18 at 13:37
David Goate
1,06021533
1,06021533
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
I see, I think the main point is that you can't use a header value ofhttp://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.
– David Goate
Nov 21 '18 at 14:02
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
add a comment |
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
I see, I think the main point is that you can't use a header value ofhttp://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.
– David Goate
Nov 21 '18 at 14:02
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
Basically, all our other services accept sub-domains, so this is why I'm trying to find a solution for this new service. Yep so I need something like something.localhost:4200 to be accepted. There are some solution like CrossOriginFilter from org.eclipse.jetty.servlets, but we are not any more into a Servlet stack. We started this new service with spring WebFlux so we are in a reactive stack and that solution doesn't work anymore..
– brebDev
Nov 21 '18 at 13:46
I see, I think the main point is that you can't use a header value of
http://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.– David Goate
Nov 21 '18 at 14:02
I see, I think the main point is that you can't use a header value of
http://*.localhost:4200. You can achieve your end goal, but you'd either have to explicitly tell spring all of the permitted subdomains or implement some more custom solution to intercept the request, determine the origin header value, decide whether it's permitted for CORS and if so append the relevant header to the response. You might be able to write your own interceptor for this rather than using the spring cors features. I'm not aware of any built in feature of spring to allow that out of the box.– David Goate
Nov 21 '18 at 14:02
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
I think I managed to find out a solution. Please take a look above.
– brebDev
Nov 22 '18 at 14:55
add a comment |
I think I found a solution that works. That simply means creating a custom CorsConfiguration, overriding the checkOrigin method and create a custom matcher that will interpret http://*.localhost:4200 correctly. The code looks like this:
public class RegexCorsConfiguration extends CorsConfiguration {
private List<String> allowedOriginsRegexes = new ArrayList<>();
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, possibly {@code null} which
* means the request origin is not allowed
*/
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (this.allowedOriginsRegexes.isEmpty()) {
return null;
}
if (this.allowedOriginsRegexes.contains(ALL)) {
if (getAllowCredentials() != Boolean.TRUE) {
return ALL;
} else {
return requestOrigin;
}
}
for (String allowedOriginRegex : this.allowedOriginsRegexes) {
if (createMatcher(requestOrigin, allowedOriginRegex).matches()) {
return requestOrigin;
}
}
return null;
}
public void setAllowedOriginRegex(List<String> allowedOriginsRegexes) {
this.allowedOriginsRegexes = allowedOriginsRegexes;
}
private Matcher createMatcher(String origin, String allowedOrigin) {
String regex = this.parseAllowedWildcardOriginToRegex(allowedOrigin);
Pattern pattern = Pattern.compile(regex);
return pattern.matcher(origin);
}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin) {
String regex = allowedOrigin.replace(".", "\.");
return regex.replace("*", ".*");
}}
and of course, inject corsConfig from configuration classes like this:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
RegexCorsConfiguration regexCorsConfiguration = new RegexCorsConfiguration();
regexCorsConfiguration.setAllowCredentials(true);
regexCorsConfiguration.setAllowedOriginRegex(corsConfigData.getAllowedOrigins());
regexCorsConfiguration.setAllowedHeaders(corsConfigData.getAllowedHeaders());
regexCorsConfiguration.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", regexCorsConfiguration);
return new CorsWebFilter(source);
}
answered Nov 22 '18 at 14:54
brebDev
1318
add a comment |
I think I found a solution that works. That simply means creating a custom CorsConfiguration, overriding the checkOrigin method and create a custom matcher that will interpret http://*.localhost:4200 correctly. The code looks like this:
public class RegexCorsConfiguration extends CorsConfiguration {
private List<String> allowedOriginsRegexes = new ArrayList<>();
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, possibly {@code null} which
* means the request origin is not allowed
*/
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (this.allowedOriginsRegexes.isEmpty()) {
return null;
}
if (this.allowedOriginsRegexes.contains(ALL)) {
if (getAllowCredentials() != Boolean.TRUE) {
return ALL;
} else {
return requestOrigin;
}
}
for (String allowedOriginRegex : this.allowedOriginsRegexes) {
if (createMatcher(requestOrigin, allowedOriginRegex).matches()) {
return requestOrigin;
}
}
return null;
}
public void setAllowedOriginRegex(List<String> allowedOriginsRegexes) {
this.allowedOriginsRegexes = allowedOriginsRegexes;
}
private Matcher createMatcher(String origin, String allowedOrigin) {
String regex = this.parseAllowedWildcardOriginToRegex(allowedOrigin);
Pattern pattern = Pattern.compile(regex);
return pattern.matcher(origin);
}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin) {
String regex = allowedOrigin.replace(".", "\.");
return regex.replace("*", ".*");
}}
and of course, inject corsConfig from configuration classes like this:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
RegexCorsConfiguration regexCorsConfiguration = new RegexCorsConfiguration();
regexCorsConfiguration.setAllowCredentials(true);
regexCorsConfiguration.setAllowedOriginRegex(corsConfigData.getAllowedOrigins());
regexCorsConfiguration.setAllowedHeaders(corsConfigData.getAllowedHeaders());
regexCorsConfiguration.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", regexCorsConfiguration);
return new CorsWebFilter(source);
}
answered Nov 22 '18 at 14:54
brebDev
1318
add a comment |
I think I found a solution that works. That simply means creating a custom CorsConfiguration, overriding the checkOrigin method and create a custom matcher that will interpret http://*.localhost:4200 correctly. The code looks like this:
public class RegexCorsConfiguration extends CorsConfiguration {
private List<String> allowedOriginsRegexes = new ArrayList<>();
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, possibly {@code null} which
* means the request origin is not allowed
*/
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (this.allowedOriginsRegexes.isEmpty()) {
return null;
}
if (this.allowedOriginsRegexes.contains(ALL)) {
if (getAllowCredentials() != Boolean.TRUE) {
return ALL;
} else {
return requestOrigin;
}
}
for (String allowedOriginRegex : this.allowedOriginsRegexes) {
if (createMatcher(requestOrigin, allowedOriginRegex).matches()) {
return requestOrigin;
}
}
return null;
}
public void setAllowedOriginRegex(List<String> allowedOriginsRegexes) {
this.allowedOriginsRegexes = allowedOriginsRegexes;
}
private Matcher createMatcher(String origin, String allowedOrigin) {
String regex = this.parseAllowedWildcardOriginToRegex(allowedOrigin);
Pattern pattern = Pattern.compile(regex);
return pattern.matcher(origin);
}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin) {
String regex = allowedOrigin.replace(".", "\.");
return regex.replace("*", ".*");
}}
and of course, inject corsConfig from configuration classes like this:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
RegexCorsConfiguration regexCorsConfiguration = new RegexCorsConfiguration();
regexCorsConfiguration.setAllowCredentials(true);
regexCorsConfiguration.setAllowedOriginRegex(corsConfigData.getAllowedOrigins());
regexCorsConfiguration.setAllowedHeaders(corsConfigData.getAllowedHeaders());
regexCorsConfiguration.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", regexCorsConfiguration);
return new CorsWebFilter(source);
}
answered Nov 22 '18 at 14:54
brebDev
1318
I think I found a solution that works. That simply means creating a custom CorsConfiguration, overriding the checkOrigin method and create a custom matcher that will interpret http://*.localhost:4200 correctly. The code looks like this:
public class RegexCorsConfiguration extends CorsConfiguration {
private List<String> allowedOriginsRegexes = new ArrayList<>();
/**
* Check the origin of the request against the configured allowed origins.
* @param requestOrigin the origin to check
* @return the origin to use for the response, possibly {@code null} which
* means the request origin is not allowed
*/
public String checkOrigin(String requestOrigin) {
if (!StringUtils.hasText(requestOrigin)) {
return null;
}
if (this.allowedOriginsRegexes.isEmpty()) {
return null;
}
if (this.allowedOriginsRegexes.contains(ALL)) {
if (getAllowCredentials() != Boolean.TRUE) {
return ALL;
} else {
return requestOrigin;
}
}
for (String allowedOriginRegex : this.allowedOriginsRegexes) {
if (createMatcher(requestOrigin, allowedOriginRegex).matches()) {
return requestOrigin;
}
}
return null;
}
public void setAllowedOriginRegex(List<String> allowedOriginsRegexes) {
this.allowedOriginsRegexes = allowedOriginsRegexes;
}
private Matcher createMatcher(String origin, String allowedOrigin) {
String regex = this.parseAllowedWildcardOriginToRegex(allowedOrigin);
Pattern pattern = Pattern.compile(regex);
return pattern.matcher(origin);
}
private String parseAllowedWildcardOriginToRegex(String allowedOrigin) {
String regex = allowedOrigin.replace(".", "\.");
return regex.replace("*", ".*");
}}
and of course, inject corsConfig from configuration classes like this:
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public CorsWebFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
RegexCorsConfiguration regexCorsConfiguration = new RegexCorsConfiguration();
regexCorsConfiguration.setAllowCredentials(true);
regexCorsConfiguration.setAllowedOriginRegex(corsConfigData.getAllowedOrigins());
regexCorsConfiguration.setAllowedHeaders(corsConfigData.getAllowedHeaders());
regexCorsConfiguration.setAllowedMethods(corsConfigData.getAllowedMethods());
source.registerCorsConfiguration("/**", regexCorsConfiguration);
return new CorsWebFilter(source);
}
answered Nov 22 '18 at 14:54
brebDev
1318
answered Nov 22 '18 at 14:54
brebDev
1318
answered Nov 22 '18 at 14:54
brebDev
1318
answered Nov 22 '18 at 14:54
brebDev
1318
1318
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53412178%2fenable-wildcard-in-cors-spring-security-webflux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
