feature: enable CORS configuration (#1771)

2024-03-17 10:55:27 +01:00 · 2024-03-17 10:55:27 +01:00 · 62931a1836
commit 62931a1836
parent c18430752a
1 changed files with 16 additions and 0 deletions
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@ -30,6 +30,7 @@
 */
 package org.owasp.webgoat.container;

+import java.util.List;
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
@ -43,6 +44,9 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

 /** Security configuration for WebGoat. */
@Configuration
@ -83,6 +87,7 @@ public class WebSecurityConfig {
              oidc.loginPage("/login");
            })
        .logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true))
+        .cors(cors -> cors.configurationSource(corsConfigurationSource()))
        .csrf(csrf -> csrf.disable())
        .headers(headers -> headers.disable())
        .exceptionHandling(
@ -91,6 +96,17 @@ public class WebSecurityConfig {
        .build();
  }

+  private CorsConfigurationSource corsConfigurationSource() {
+    CorsConfiguration configuration = new CorsConfiguration();
+    configuration.addAllowedOriginPattern(CorsConfiguration.ALL);
+    configuration.setAllowedMethods(List.of(CorsConfiguration.ALL));
+    configuration.setAllowedHeaders(List.of(CorsConfiguration.ALL));
+    configuration.setAllowCredentials(true);
+    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+    source.registerCorsConfiguration("/**", configuration);
+    return source;
+  }
+
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);