Merge pull request #548 from medizininformatik-initiative/bugfix/547-actuator-endpoint-throws-cors-error

michael-82 · web-flow · commit 67abebc0bf8e · 2025-07-07T14:11:56.000+02:00
#547 - Actuator Endpoint Throws CORS Error
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -186,13 +186,13 @@ jobs:
         run: docker compose -f .github/integration-test/docker-compose.yml up -d
 
       - name: Wait for Dataportal Backend
-        run: .github/scripts/wait-for-url.sh  http://localhost:8091/actuator/health
+        run: .github/scripts/wait-for-url.sh  http://localhost:8091/api/v5/actuator/health
 
       - name: Check if Dataportal Backend is correctly running with the user with id 10001
         run: .github/scripts/check-if-running-as-user-10001.sh
 
       - name: Check info endpoint
-        run: .github/scripts/check-info-endpoint.sh http://localhost:8091/actuator/info
+        run: .github/scripts/check-info-endpoint.sh http://localhost:8091/api/v5/actuator/info
 
       - name: Wait for Blaze
         run: .github/scripts/wait-for-url.sh  http://localhost:8082/health
diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,7 @@ RUN mkdir logging && \
     apk --no-cache add curl bash
 USER 10001
 
-HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1
+HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/api/v5/actuator/health || exit 1
 
 COPY ./target/*.jar ./dataportal-backend.jar
 COPY ontology ontology
diff --git a/README.md b/README.md
@@ -312,7 +312,7 @@ DATAPORTAL_DATABASE_PORT=<your-desired-port> docker-compose up -d
 
 ### Testing if the Container is Running Properly
 ```
-GET http://localhost:8090/actuator/health
+GET http://localhost:8090/api/v5/actuator/health
 ```
 
 Should reply with status 200 and a JSON object
diff --git a/src/main/java/de/numcodex/feasibility_gui_backend/config/WebSecurityConfig.java b/src/main/java/de/numcodex/feasibility_gui_backend/config/WebSecurityConfig.java
@@ -98,6 +98,8 @@ public SecurityFilterChain apiFilterChain(
 
     http.authorizeHttpRequests(authorize -> authorize
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_SWAGGER_CONFIG)).permitAll()
+            .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_ACTUATOR_HEALTH)).permitAll()
+            .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_ACTUATOR_INFO)).permitAll()
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_SWAGGER_UI)).permitAll()
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_TERMINOLOGY + "/**")).hasAuthority(keycloakAllowedRole)
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_QUERY + PATH_DATA)).hasAuthority(keycloakAllowedRole)
@@ -108,8 +110,6 @@ public SecurityFilterChain apiFilterChain(
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + "/**")).hasAnyAuthority(keycloakAdminRole, keycloakAllowedRole)
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_DSE + "/**")).hasAnyAuthority(keycloakAdminRole, keycloakAllowedRole)
             .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_API + PATH_CODEABLE_CONCEPT + "/**")).hasAnyAuthority(keycloakAdminRole, keycloakAllowedRole)
-            .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_ACTUATOR_HEALTH)).permitAll()
-            .requestMatchers(PathPatternRequestMatcher.withDefaults().matcher(PATH_ACTUATOR_INFO)).permitAll()
             .anyRequest().authenticated()
         )
         .oauth2ResourceServer(oauth2 -> oauth2
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -35,8 +35,13 @@ springdoc:
 management:
   endpoints:
     web:
+      cors:
+        allowed-origins: "${ALLOWED_ORIGINS:http://localhost}"
+        allowed-methods: OPTIONS, GET
+        allowed-headers: "*"
       exposure:
         include: "health, info"
+      base-path: /api/v5/actuator
     access:
       default: none
   endpoint:
