Commit 56db106a authored by Matija Obreza's avatar Matija Obreza

CORS: Check allowed origins for PreFlight requests

parent 9dc33998
......@@ -18,11 +18,16 @@ package org.genesys2.spring.config;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.genesys.blocks.oauth.service.OAuthClientDetailsService;
import org.genesys.blocks.oauth.service.OAuthServiceImpl;
import org.genesys.blocks.security.component.OAuthClientOriginCheckFilter;
import org.genesys2.server.servlet.filter.ApiAccessLoggerFilter;
import org.genesys2.spring.CachedInMemoryAuthorizationCodeServices;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
......@@ -46,7 +51,6 @@ import org.springframework.security.oauth2.config.annotation.web.configuration.R
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
......@@ -64,12 +68,17 @@ import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CorsFilter;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
/**
* The Class OAuth2ServerConfig.
*/
@Configuration
public class OAuth2ServerConfig {
private static final String APPLICATION_RESOURCE_ID = "genesys";
private static final String APPLICATION_RESOURCE_ID = "Genesys";
public static final Logger LOG = LoggerFactory.getLogger(OAuth2ServerConfig.class);
@Value("${oauth.jwt.signingKey}")
private String jwtSigningKey;
......@@ -208,7 +217,7 @@ public class OAuth2ServerConfig {
@Autowired
@Qualifier("oauthService")
private ClientDetailsService clientDetailsService;
private OAuthClientDetailsService clientDetailsService;
@Autowired
public PasswordEncoder passwordEncoder;
......@@ -276,7 +285,36 @@ public class OAuth2ServerConfig {
oauthServer.allowFormAuthenticationForClients().checkTokenAccess("permitAll()").realm(APPLICATION_RESOURCE_ID + "/client").passwordEncoder(passwordEncoder);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
CorsConfiguration config = new CorsConfiguration() {
private LoadingCache<String, Boolean> allowedOriginsCache = CacheBuilder.newBuilder().maximumSize(100).expireAfterWrite(10, TimeUnit.MINUTES).build(
new CacheLoader<String, Boolean>() {
public Boolean load(String origin) {
LOG.debug("Testing origin {}", origin);
return clientDetailsService.isOriginRegistered(origin);
}
});
@Override
public String checkOrigin(String requestOrigin) {
String result = super.checkOrigin(requestOrigin);
if (result != null) {
try {
LOG.debug("Checking origin {}/{} for API access", requestOrigin, result);
if (allowedOriginsCache.get(requestOrigin) == false) {
LOG.warn("{} is not a regisitered origin of any API client", requestOrigin);
return null;
} else {
// Looks good!
return result;
}
} catch (ExecutionException e) {
LOG.error(e.getMessage(), e);
}
}
return result;
}
};
config.setAllowCredentials(false);
config.setAllowedMethods(Collections.singletonList(HttpMethod.POST.name()));
config.addAllowedOrigin("*");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment