aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Vitaly Takmazov2018-12-17 11:58:50 +0300
committerGravatar Vitaly Takmazov2018-12-17 11:58:50 +0300
commit8268ccc461608d45bdf60e58ccf49256e8cc993c (patch)
treefea1863d0ecc24651900b4b4fd1b46f5d08f820e
parent6924024d59b5f86ddff907e13d51057d186c5fef (diff)
CORS for ActivityPub endpoints
-rw-r--r--src/main/java/com/juick/server/configuration/SecurityConfig.java30
-rw-r--r--src/test/java/com/juick/server/tests/ServerTests.java5
2 files changed, 21 insertions, 14 deletions
diff --git a/src/main/java/com/juick/server/configuration/SecurityConfig.java b/src/main/java/com/juick/server/configuration/SecurityConfig.java
index 16b61172..7145e9d5 100644
--- a/src/main/java/com/juick/server/configuration/SecurityConfig.java
+++ b/src/main/java/com/juick/server/configuration/SecurityConfig.java
@@ -69,6 +69,20 @@ public class SecurityConfig {
public UserDetailsService userDetailsService() {
return new JuickUserDetailsService(userService);
}
+ @Bean
+ static CorsConfigurationSource corsConfigurationSource() {
+ CorsConfiguration configuration = new CorsConfiguration();
+
+ configuration.setAllowedOrigins(Collections.singletonList("*"));
+ configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE"));
+ configuration.setAllowedHeaders(Collections.singletonList("*"));
+
+ UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+ source.registerCorsConfiguration("/api/**", configuration);
+ source.registerCorsConfiguration("/u/**", configuration);
+ source.registerCorsConfiguration("/n/**", configuration);
+ return source;
+ }
@Configuration
@Order(1)
@@ -98,7 +112,7 @@ public class SecurityConfig {
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.antMatchers("/api/", "/api/messages", "/api/messages/discussions", "/api/users", "/api/thread", "/api/tags", "/api/tlgmbtwbhk", "/api/fbwbhk",
- "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/signup", "/api/inbox", "/api/u/**", "/.well-known/webfinger", "/.well-known/x-nodeinfo2", "/rss/**", "/api/events", "/api/info/**").permitAll()
+ "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/signup", "/api/inbox", "/api/events", "/api/info/**").permitAll()
.anyRequest().hasRole("USER")
.and()
.anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY)
@@ -122,19 +136,6 @@ public class SecurityConfig {
return new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED);
}
- @Bean
- public CorsConfigurationSource corsConfigurationSource() {
- CorsConfiguration configuration = new CorsConfiguration();
-
- configuration.setAllowedOrigins(Collections.singletonList("*"));
- configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE"));
- configuration.setAllowedHeaders(Collections.singletonList("*"));
-
- UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
- source.registerCorsConfiguration("/api/**", configuration);
-
- return source;
- }
@Override
public void configure(WebSecurity web) {
web.debug(false);
@@ -182,6 +183,7 @@ public class SecurityConfig {
.anyRequest().permitAll()
.and()
.anonymous().principal(JuickUser.ANONYMOUS_USER).authorities(JuickUser.ANONYMOUS_AUTHORITY)
+ .and().cors().configurationSource(corsConfigurationSource())
.and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.invalidSessionUrl("/")
diff --git a/src/test/java/com/juick/server/tests/ServerTests.java b/src/test/java/com/juick/server/tests/ServerTests.java
index d1cdac8b..5902220f 100644
--- a/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/src/test/java/com/juick/server/tests/ServerTests.java
@@ -488,6 +488,11 @@ public class ServerTests {
.header("Origin", "http://api.example.net"))
.andExpect(status().isOk())
.andExpect(header().string("Access-Control-Allow-Origin", "*"));
+ mockMvc.perform(
+ get("/u/ugnich")
+ .header("Origin", "http://api.example.net"))
+ .andExpect(status().isOk())
+ .andExpect(header().string("Access-Control-Allow-Origin", "*"));
}
@Test