Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to handle CORS URLs on Prod/Dev environments?

In our Spring Boot app, we made the first deployment on our Quality environment and now we want to make it simple defining URLs to accept petitions from our FrontEnd application.

We build our application with maven and then we execute it with the command

java -Dspring.profiles.active=prod -jar myapp-0.0.1-SNAPSHOT.jar

We thought we could set the URL on the application.properties/application-prod.properties file, but this does not work as in execution time it is null. Another workaround would be somehow to get the parameter -Dspring.profiles.active=prod we pass when running the application and then take one URL or another but this seems to be a little dirty...

So what do you guys would do? I was impressed not finding anything on google, apparently people have different workarounds or I am searching in the wrong way.

Edit Cross Origin info: This is how we implemented it at first.

@CrossOrigin(origins = BasicConfiguration.CLIENT_URL)

And this is how we want to do it now with a filter with Spring Security

public class CorsFilter implements Filter, ApplicationContextAware {
    @Value("${urlServer}")
    private String urlServer;

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;
        response.setHeader("Access-Control-Allow-Origin", urlServer);
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE, PATCH");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
        response.setHeader("Access-Control-Expose-Headers", "Location");
        chain.doFilter(req, res);
    }

    @Override
    public void init(FilterConfig filterConfig) {}

    @Override
    public void destroy() {}
}

Of course urlServer is defined in application.properties with its corresponding metadata.

EDIT 2 How I initialize the filter:

@Bean
public FilterRegistrationBean corsFilter() {
    FilterRegistrationBean registration = new FilterRegistrationBean();
    registration.setFilter(new CorsFilter());
    registration.addUrlPatterns("/sessionLogin");
    return registration;
}
like image 647
Carloshf Avatar asked Jun 28 '17 09:06

Carloshf


People also ask

What is the use of Cors in web application?

CORS stands for “Cross-origin resource sharing” which is the security policy set by the browsers to block different domain request unless the origin is whitelisted in other domain. CORS issue can be resolved only from backend/server, so if you are thinking from frontend you can resolve then it’s not possible.

How to fetch resources with Cors disabled?

If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled. Whenever a request goes from browser, it automatically sends origin request header to server, when browser finds that server is not allowing this origin then the browser blocks this request & doesn’t send any request to server.

Do I need to enable Cors in production?

In production (for web), all requests (static content & REST calls) anyways go through the proxy (same domain & port) and there is no need to enable CORS How to enable CORS on the server?

How does a client get access to a CORS resource?

The CORS headers in the request are automatically added by the browser so whether a client has access to the resource or not really depends on the CORS response headers from the server.


1 Answers

The problem is that you CorsFilter is not a spring bean. You can eather define it like a bean, or do something like this:

    @Bean
    public FilterRegistrationBean corsFilter(@Value("${app.cors.url.server}") String urlServer) {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        CorsFilter corsFilter = new CorsFilter();
        corsFilter.setUrlServer(urlServer);
        registration.setFilter(corsFilter);
        registration.addUrlPatterns("/sessionLogin");
        return registration;
    }

Of course, you will need to define setter in your CorsFilter for urlServer field

like image 61
Leffchik Avatar answered Oct 11 '22 19:10

Leffchik