Commit ae4c14e7 authored by Daniel Gerhardt's avatar Daniel Gerhardt

Add configurable CORS support

The original implementation did not correcly implement the W3C
Recommendation (https://www.w3.org/TR/2014/REC-cors-20140116/). CORS is
now implemented based the CorsFilter provided by Spring MVC.

Origins allowed for CORS can now be set in the configuration.
Additionally, GET access to the following request URLs is allowed from
all origins:

* /
* /arsnova-config and /configuration/
* /statistics
parent 2958b452
......@@ -17,6 +17,7 @@
*/
package de.thm.arsnova.config;
import de.thm.arsnova.web.CorsFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cache.CacheManager;
......@@ -37,6 +38,9 @@ import de.thm.arsnova.socket.ARSnovaSocket;
import de.thm.arsnova.socket.ARSnovaSocketIOServer;
import de.thm.arsnova.ImageUtils;
import java.util.Arrays;
import java.util.Collections;
/**
* Loads property file and configures non-security related beans and components.
*/
......@@ -57,6 +61,7 @@ public class ExtraConfig {
@Value(value = "${security.ssl}") private boolean socketUseSll;
@Value(value = "${security.keystore}") private String socketKeystore;
@Value(value = "${security.storepass}") private String socketStorepass;
@Value(value = "${security.cors.origins:}") private String[] corsOrigins;
@Bean
public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
......@@ -70,6 +75,11 @@ public class ExtraConfig {
return configurer;
}
@Bean
public CorsFilter corsFilter() {
return new CorsFilter(Arrays.asList(corsOrigins));
}
@Bean(name = "connectorClient")
public ConnectorClient connectorClient() {
if (!connectorEnable) {
......
/*
* This file is part of ARSnova Backend.
* Copyright (C) 2012-2016 The ARSnova Team
*
* ARSnova Backend is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* ARSnova Backend is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package de.thm.arsnova.web;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import java.util.List;
public class CorsFilter extends org.springframework.web.filter.CorsFilter {
protected final Logger logger = LoggerFactory.getLogger(CorsFilter.class);
public CorsFilter(List<String> origins) {
super(configurationSource(origins));
logger.info("CorsFilter initialized. Allowed origins: {}", origins);
}
private static UrlBasedCorsConfigurationSource configurationSource(List<String> origins) {
CorsConfiguration config;
UrlBasedCorsConfigurationSource source;
/* Grant full access from specified origins */
config = new CorsConfiguration();
config.setAllowedOrigins(origins);
config.addAllowedHeader("Accept");
config.addAllowedHeader("Content-Type");
config.addAllowedHeader("X-Requested-With");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
config.addAllowedMethod("DELETE");
config.setAllowCredentials(true);
source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
/* Grant limited access from all origins */
config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.addAllowedHeader("Accept");
config.addAllowedHeader("X-Requested-With");
config.addAllowedMethod("GET");
config.setAllowCredentials(true);
source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/", config);
source.registerCorsConfiguration("/arsnova-config", config);
source.registerCorsConfiguration("/configuration/", config);
source.registerCorsConfiguration("/statistics", config);
return source;
}
}
......@@ -151,6 +151,15 @@ security.google.key=
security.google.secret=
################################################################################
# Cross-Origin Resource Sharing
################################################################################
# CORS grants full API access to client-side (browser) applications from other
# domains. Multiple entries are separated by commas. Untrusted and vulnerable
# applications running on these domains pose a security risk to ARSnova users.
#security.cors.origins=https://
################################################################################
# ARSnova Connector (for LMS)
################################################################################
......
......@@ -61,6 +61,16 @@
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>corsFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>corsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<mime-mapping>
<extension>manifest</extension>
<mime-type>text/cache-manifest</mime-type>
......
......@@ -151,6 +151,15 @@ security.google.key=
security.google.secret=
################################################################################
# Cross-Origin Resource Sharing
################################################################################
# CORS grants full API access to client-side (browser) applications from other
# domains. Multiple entries are separated by commas. Untrusted and vulnerable
# applications running on these domains pose a security risk to ARSnova users.
#security.cors.origins=https://
################################################################################
# ARSnova Connector (for LMS)
################################################################################
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment