Feature/cors (#263) (#264)

* Update properties

* Upgrade GHA to use Node.js 20

* Improve handling attributes in firewall

* Modify SecurityConfig to use CORS config from property file

* Fix wss ssl

* Update pom.xml to use latest MMP

* Update CHANGELOG.md and README.md

* Address PR comments

* Update test to check PUT method, since OPTIONS is now allowed in
Firewall

Co-authored-by: Igor Balog Eng <[email protected]>

.github/workflows/ECC.yml

@@ -15,10 +15,10 @@ jobs:
       DOCKER_PASSWORD: ${{secrets.DOCKER_PASSWORD}}
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up JDK 11
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: '11'
@@ -40,7 +40,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -74,7 +74,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -108,7 +108,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -150,7 +150,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -184,7 +184,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -218,7 +218,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -252,7 +252,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -286,7 +286,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -320,7 +320,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -354,7 +354,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh
@@ -388,7 +388,7 @@ jobs:
       TRUSTSTORE_PASSWORD_DOCKER: ${{secrets.TRUSTSTORE_PASSWORD_DOCKER}}
     steps:
       - name: Git Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Run env setup
         run: ./ci/setupEnv.sh

.github/workflows/docker-publish.yml

@@ -15,9 +15,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up JDK 11
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: '11'
         distribution: 'temurin'

.github/workflows/maven_release.yml

@@ -15,9 +15,9 @@ jobs:
     if: "!contains(github.event.head_commit.message, '[maven-release-plugin]')"
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up JDK 11
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: '11'
         distribution: 'temurin'

CHANGELOG.md

@@ -1,6 +1,21 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.14.9] - 2024-07-11
+
+### Added
+
+ - CORS configuration (for compatibility with UI)
+
+### Changed
+
+ - Updated firewall.properties
+ - Multipart message library upgraded to 1.0.18
+ - Websocket library upgraded to 1.0.18
+ - Fix WSS SSL support
+ - Upgrade GHA to use Node.js 20
+
+
 ## [1.14.8] - 2024-02-14
 
 ### Added

README.md

@@ -97,6 +97,35 @@ allowUrlEncodedPeriod=true
 ```
 *IMPORTANT:* If you're not an expert, the strong advice is to keep values at their default values. If you decide to change values, pay special attention to allowHeaderNames and allowHeaderValues, since those set values are exclusive and considered as only values that should be present in the header.
 
+## CORS Configuration
+
+In order to communicate with UI, CORS (Cross-Origin Resource Sharing) settings should be configured in `application.properties` file. This allows you to specify which origins, methods, and headers are permitted when making cross-origin requests to your application.
+
+```
+application.cors.allowed.origins=
+application.cors.allowed.methods=
+application.cors.allowed.headers=
+```
+
+ - `application.cors.allowed.origins`: Specifies the allowed origins. If empty, all origins (*) are allowed.
+ - `application.cors.allowed.methods`: Specifies the allowed HTTP methods. If empty, all methods (*) are allowed.
+ - `application.cors.allowed.header`s: Specifies the allowed headers. If empty, all headers (*) are allowed.
+
+ Example configuration:
+
+ ```
+ # Allow specific origins
+application.cors.allowed.origins=https://example.com,https://another-example.com
+
+# Allow specific HTTP methods
+application.cors.allowed.methods=GET,POST,PUT,DELETE
+
+# Allow specific headers
+application.cors.allowed.headers=
+ ```
+
+
+
 ## How to Test
 The reachability could be verified using the following endpoints:
 *  **http://{IP_ADDRESS}:{HTTP_PUBLIC_PORT}/about/version**

ci/docker/be-dataapp_resources/application-docker.properties

@@ -61,3 +61,11 @@ application.security.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUub
 
 #checkSum verification - true | false
 application.verifyCheckSum=false
+
+#CORS configuration
+#Allow specific origins
+application.cors.allowed.origins=
+#Allow specific HTTP methods
+application.cors.allowed.methods=
+#Allow specific headers
+application.cors.allowed.headers=

ci/docker/be-dataapp_resources/firewall.properties

@@ -3,7 +3,7 @@ allowedHeaderNames=
 #Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
 allowedHeaderValues=
 #Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
-allowedMethods=GET,POST
+allowedMethods=GET,POST,OPTIONS
 #Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
 allowBackSlash=true
 #Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not

ci/docker/ecc_resources_consumer/application-docker.properties

@@ -196,5 +196,13 @@ spring.h2.console.enabled=true
 spring.datasource.username=sa
 spring.datasource.password=file_password password
 
+#CORS configuration
+#Allow specific origins
+application.cors.allowed.origins=
+#Allow specific HTTP methods
+application.cors.allowed.methods=
+#Allow specific headers
+application.cors.allowed.headers=
+
 #For logging the response over WSS set to DEBUG, else leave empty
 #logging.level.it.eng.idsa.businesslogic.processor.receiver=

ci/docker/ecc_resources_consumer/firewall.properties

@@ -3,7 +3,7 @@ allowedHeaderNames=
 #Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
 allowedHeaderValues=
 #Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
-allowedMethods=GET,POST
+allowedMethods=GET,POST,OPTIONS
 #Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
 allowBackSlash=true
 #Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not

ci/docker/ecc_resources_provider/application-docker.properties

@@ -199,5 +199,13 @@ spring.h2.console.enabled=true
 spring.datasource.username=sa
 spring.datasource.password=file_password password
 
+#CORS configuration
+#Allow specific origins
+application.cors.allowed.origins=
+#Allow specific HTTP methods
+application.cors.allowed.methods=
+#Allow specific headers
+application.cors.allowed.headers=
+
 #For logging the response over WSS set to DEBUG, else leave empty
 #logging.level.it.eng.idsa.businesslogic.processor.receiver=

ci/docker/ecc_resources_provider/firewall.properties

@@ -3,7 +3,7 @@ allowedHeaderNames=
 #Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty)
 allowedHeaderValues=
 #Set which HTTP methods should be allowed (if want to allow all header names, keep it empty)
-allowedMethods=GET,POST
+allowedMethods=GET,POST,OPTIONS
 #Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not
 allowBackSlash=true
 #Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not

ci/docker/test-cases/https-https-form/HTTPS-HTTPS-form-API.json

@@ -108,7 +108,7 @@
 						}
 					]
 				},
-				"method": "OPTIONS",
+				"method": "PUT",
 				"header": [
 					{
 						"key": "fizz",

pom.xml

@@ -19,7 +19,7 @@
 		<camel.version>3.19.0</camel.version>
 		<tomcat.version>9.0.76</tomcat.version>
 		<application.basedir>${basedir}</application.basedir>
-		<multipart.message.processor.version>1.0.17</multipart.message.processor.version>
+		<multipart.message.processor.version>1.0.18</multipart.message.processor.version>
 		<idscp2.libraries.version>0.5.2</idscp2.libraries.version>
 		<jacoco.version>0.8.8</jacoco.version>
 	</properties>

src/main/java/it/eng/idsa/businesslogic/configuration/EccFirewall.java

@@ -38,11 +38,11 @@ public class EccFirewall {
 	private boolean allowUrlEncodedPercent;
 	@Value("${allowUrlEncodedPeriod}")
 	private boolean allowUrlEncodedPeriod;
-	
+
 	@Bean
 	@ConditionalOnProperty(name = "application.firewall.isEnabled", havingValue = "true", matchIfMissing = false)
 	RequestRejectedHandler requestRejectedHandler() {
-	   return new HttpStatusRequestRejectedHandler(HttpStatus.METHOD_NOT_ALLOWED.value());
+		return new HttpStatusRequestRejectedHandler(HttpStatus.METHOD_NOT_ALLOWED.value());
 	}
 
 	@Bean
@@ -53,13 +53,19 @@ public StrictHttpFirewall httpFirewall() {
 		if (!CollectionUtils.isEmpty(allowedHeaderNames)) {
 			Predicate<String> headerNamePredicate = createAllowedHeaderNamesPredicate(allowedHeaderNames);
 			firewall.setAllowedHeaderNames(headerNamePredicate);
+		} else {
+			firewall.setAllowedHeaderNames((header) -> true);
 		}
 		if (!allowedHeaderValues.isEmpty()) {
 			Predicate<String> headerNameValuePredicate = createAllowedHeaderValuesPredicate(allowedHeaderValues);
 			firewall.setAllowedHeaderValues(headerNameValuePredicate);
+		} else {
+			firewall.setAllowedHeaderValues((header) -> true);
 		}
 		if (!CollectionUtils.isEmpty(allowedMethods)) {
 			firewall.setAllowedHttpMethods(allowedMethods);
+		} else {
+			firewall.setUnsafeAllowAnyHttpMethod(true);
 		}
 		firewall.setAllowBackSlash(allowBackSlash);
 		firewall.setAllowUrlEncodedSlash(allowUrlEncodedSlash);
@@ -70,7 +76,7 @@ public StrictHttpFirewall httpFirewall() {
 
 		return firewall;
 	}
-	
+
 	private Predicate<String> createAllowedHeaderNamesPredicate(List<String> allowedHeaderNames) {
 		return allowedHeaderNames.stream().collect(Collectors.toSet())::contains;
 	}