FINERACT-2326: Fix configuration options for CORS (#5210)

Author: mariiaKraievska

fineract-core/src/main/java/org/apache/fineract/infrastructure/core/config/FineractProperties.java

@@ -695,7 +695,7 @@ public static class ExecuteCommandProperties {
     public static class CorsProperties {
 
         private boolean enabled;
-        private List<String> allowedOrigins;
+        private List<String> allowedOriginPatterns;
         private List<String> allowedMethods;
         private List<String> allowedHeaders;
         private List<String> exposedHeaders;

fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/config/SecurityConfig.java

@@ -263,7 +263,7 @@ public AuthenticationManager authenticationManagerBean() throws Exception {
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration config = new CorsConfiguration();
         FineractProperties.CorsProperties corsConfiguration = fineractProperties.getSecurity().getCors();
-        config.setAllowedOrigins(corsConfiguration.getAllowedOrigins());
+        config.setAllowedOriginPatterns(corsConfiguration.getAllowedOriginPatterns());
         config.setAllowedMethods(corsConfiguration.getAllowedMethods());
         config.setAllowedHeaders(corsConfiguration.getAllowedHeaders());
         config.setExposedHeaders(corsConfiguration.getExposedHeaders());

fineract-provider/src/main/java/org/apache/fineract/infrastructure/security/config/AuthorizationServerConfig.java

@@ -192,7 +192,7 @@ public SecurityFilterChain protectedEndpoints(HttpSecurity http) throws Exceptio
     public CorsConfigurationSource corsConfigurationSource() {
         CorsConfiguration config = new CorsConfiguration();
         FineractProperties.CorsProperties corsConfiguration = fineractProperties.getSecurity().getCors();
-        config.setAllowedOrigins(corsConfiguration.getAllowedOrigins());
+        config.setAllowedOriginPatterns(corsConfiguration.getAllowedOriginPatterns());
         config.setAllowedMethods(corsConfiguration.getAllowedMethods());
         config.setAllowedHeaders(corsConfiguration.getAllowedHeaders());
         config.setExposedHeaders(corsConfiguration.getExposedHeaders());

fineract-provider/src/main/resources/application.properties

@@ -28,10 +28,10 @@ fineract.security.hsts.enabled=${FINERACT_SECURITY_HSTS_ENABLED:false}
 
 #CORS configuration
 fineract.security.cors.enabled=${FINERACT_SECURITY_CORS_ENABLED:true}
-fineract.security.cors.allowed-origins=${FINERACT_SECURITY_CORS_ALLOWED_ORIGINS:"*"}
-fineract.security.cors.allowed-methods=${FINERACT_SECURITY_CORS_ALLOWED_METHODS:"*"}
-fineract.security.cors.allowed-headers=${FINERACT_SECURITY_CORS_ALLOWED_HEADERS:"*"}
-fineract.security.cors.exposed-headers=${FINERACT_SECURITY_CORS_EXPOSED_HEADERS:"*"}
+fineract.security.cors.allowed-origin-patterns=${FINERACT_SECURITY_CORS_ALLOWED_ORIGIN_PATTERNS:*}
+fineract.security.cors.allowed-methods=${FINERACT_SECURITY_CORS_ALLOWED_METHODS:*}
+fineract.security.cors.allowed-headers=${FINERACT_SECURITY_CORS_ALLOWED_HEADERS:*}
+fineract.security.cors.exposed-headers=${FINERACT_SECURITY_CORS_EXPOSED_HEADERS:*}
 fineract.security.cors.allow-credentials=${FINERACT_SECURITY_CORS_ALLOW_CREDENTIALS:true}
 
 # EXAMPLE: OAuth2 client configuration (frontend-client)

fineract-provider/src/test/resources/application-test.properties

@@ -27,10 +27,10 @@ fineract.security.hsts.enabled=false
 
 #CORS configuration
 fineract.security.cors.enabled=true
-fineract.security.cors.allowed-origins="*"
-fineract.security.cors.allowed-methods="*"
-fineract.security.cors.allowed-headers="*"
-fineract.security.cors.exposed-headers="*"
+fineract.security.cors.allowed-origin-patterns=*
+fineract.security.cors.allowed-methods=*
+fineract.security.cors.allowed-headers=*
+fineract.security.cors.exposed-headers=*
 fineract.security.cors.allow-credentials=true
 
 fineract.tenant.host=localhost