Merge pull request #1248 from stormpath/1241_cors_fix_for_angular

dogeared · web-flow · commit 9b6f85a410be · 2017-01-18T17:50:05.000-05:00
1241 - Fixing CORS issue for Angular
diff --git a/extensions/servlet/src/main/resources/com/stormpath/sdk/servlet/config/web.stormpath.properties b/extensions/servlet/src/main/resources/com/stormpath/sdk/servlet/config/web.stormpath.properties
@@ -354,5 +354,6 @@ stormpath.web.assets.css.enabled = true
 stormpath.web.cors.enabled = true
 #Comma separated list of allowed origins
 stormpath.web.cors.allowed.originUris =
-stormpath.web.cors.allowed.headers = Content-Type,Accept,X-Requested-With,remember-me
+stormpath.web.cors.allowed.headers = Content-Type,Accept,X-Requested-With,remember-me,authorization,x-stormpath-agent
 stormpath.web.cors.allowed.methods = POST,GET,OPTIONS,DELETE,PUT
+stormpath.web.cors.allow.credentials = true
diff --git a/extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/config/SpecConfigVersusWebPropertiesTest.groovy b/extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/config/SpecConfigVersusWebPropertiesTest.groovy
@@ -85,7 +85,7 @@ class SpecConfigVersusWebPropertiesTest {
             specProperties.containsKey(k) ? null : k
         }
 
-        def expected_diff_size = 82
+        def expected_diff_size = 83
 
         if (diff.size != expected_diff_size) {
             println "It looks like a property was added or removed from the Framework Spec or web.stormpath.properties."
diff --git a/extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/main/java/com/stormpath/spring/boot/autoconfigure/StormpathWebSecurityAutoConfiguration.java b/extensions/spring/boot/stormpath-spring-security-webmvc-spring-boot-starter/src/main/java/com/stormpath/spring/boot/autoconfigure/StormpathWebSecurityAutoConfiguration.java
@@ -150,8 +150,13 @@ public AuthenticationEntryPoint stormpathAuthenticationEntryPoint() {
     /**
      * @since 1.3.0
      */
+    /*
+     * We cannot add @ConditionalOnMissingBean here.
+     * When using the spring boot starter parent, it has a CorsConfigurationSource that would prevent this bean from being used.
+     * Fix for: https://github.com/stormpath/stormpath-sdk-java/issues/1241
+     */
     @Bean
-    @ConditionalOnMissingBean
+    @Override
     public CorsConfigurationSource corsConfigurationSource() {
         return super.corsConfigurationSource();
     }
diff --git a/extensions/spring/boot/stormpath-webmvc-spring-boot-starter/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/extensions/spring/boot/stormpath-webmvc-spring-boot-starter/src/main/resources/META-INF/additional-spring-configuration-metadata.json
@@ -1018,13 +1018,19 @@
       "name": "stormpath.web.cors.allowed.headers",
       "type": "java.lang.String",
       "description": "Comma separated list of allowed headers for a CORS request.",
-      "defaultValue": "Content-Type,Accept,X-Requested-With,remember-me"
+      "defaultValue": "Content-Type,Accept,X-Requested-With,remember-me,authorization,x-stormpath-agent"
     },
     {
       "name": "stormpath.web.cors.allowed.methods",
       "type": "java.lang.String",
       "description": "Comma separated list of allowed methods for a CORS request.",
       "defaultValue": "POST,GET,OPTIONS,DELETE,PUT"
+    },
+    {
+      "name": "stormpath.web.cors.allow.credentials",
+      "type": "java.lang.Boolean",
+      "description": "Whether user credentials are supported.",
+      "defaultValue": true
     }
   ]
 }
diff --git a/extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebSecurityConfiguration.java b/extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebSecurityConfiguration.java
@@ -129,12 +129,15 @@ public abstract class AbstractStormpathWebSecurityConfiguration {
     @Value("#{ @environment['stormpath.web.cors.allowed.originUris'] }")
     protected String corsAllowedOrigins;
 
-    @Value("#{ @environment['stormpath.web.cors.allowed.headers'] ?: 'Content-Type,Accept,X-Requested-With,remember-me' }")
+    @Value("#{ @environment['stormpath.web.cors.allowed.headers'] ?: 'Content-Type,Accept,X-Requested-With,remember-me,authorization,x-stormpath-agent' }")
     protected String corsAllowedHeaders;
 
     @Value("#{ @environment['stormpath.web.cors.allowed.methods'] ?: 'POST,GET,OPTIONS,DELETE,PUT' }")
     protected String corsAllowedMethods;
 
+    @Value("#{ @environment['stormpath.web.cors.allow.credentials'] ?: true }")
+    protected boolean corsAllowCredentials;
+
     @Value("#{ @environment['stormpath.web.stormpathFilter.enabled'] ?: true }")
     protected boolean stormpathFilterEnabled;
 
@@ -279,6 +282,7 @@ public CorsConfigurationSource corsConfigurationSource() {
         configuration.setAllowedOrigins(Strings.split(corsAllowedOrigins) != null ? Arrays.asList(Strings.split(corsAllowedOrigins)) : Collections.<String>emptyList());
         configuration.setAllowedHeaders(Strings.split(corsAllowedHeaders) != null ? Arrays.asList(Strings.split(corsAllowedHeaders)) : Collections.<String>emptyList());
         configuration.setAllowedMethods(Strings.split(corsAllowedMethods) != null ? Arrays.asList(Strings.split(corsAllowedMethods)) : Collections.<String>emptyList());
+        configuration.setAllowCredentials(corsAllowCredentials); // fix for https://github.com/stormpath/stormpath-sdk-java/issues/1241
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", configuration);
         return source;
diff --git a/extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/StormpathWebSecurityConfiguration.java b/extensions/spring/stormpath-spring-security-webmvc/src/main/java/com/stormpath/spring/config/StormpathWebSecurityConfiguration.java
@@ -119,6 +119,7 @@ public AuthenticationEntryPoint stormpathAuthenticationEntryPoint() {
      * @since 1.3.0
      */
     @Bean
+    @Override
     public CorsConfigurationSource corsConfigurationSource() {
         return super.corsConfigurationSource();
     }
diff --git a/extensions/spring/stormpath-spring-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebMvcConfiguration.java b/extensions/spring/stormpath-spring-webmvc/src/main/java/com/stormpath/spring/config/AbstractStormpathWebMvcConfiguration.java
@@ -406,12 +406,15 @@ public abstract class AbstractStormpathWebMvcConfiguration {
     @Value("#{ @environment['stormpath.web.cors.allowed.originUris'] }")
     protected String corsAllowedOrigins;
 
-    @Value("#{ @environment['stormpath.web.cors.allowed.headers'] ?: 'Content-Type,Accept,X-Requested-With,remember-me' }")
+    @Value("#{ @environment['stormpath.web.cors.allowed.headers'] ?: 'Content-Type,Accept,X-Requested-With,remember-me,authorization,x-stormpath-agent' }")
     protected String corsAllowedHeaders;
 
     @Value("#{ @environment['stormpath.web.cors.allowed.methods'] ?: 'POST,GET,OPTIONS,DELETE,PUT' }")
     protected String corsAllowedMethods;
 
+    @Value("#{ @environment['stormpath.web.cors.allow.credentials'] ?: true }")
+    protected boolean corsAllowCredentials;
+
     @Autowired(required = false)
     protected PathMatcher pathMatcher;
 
@@ -1530,6 +1533,7 @@ public Filter newCorsFilter() {
         config.setAllowedOrigins(stormpathCorsAllowedOrigins());
         config.setAllowedHeaders(stormpathCorsAllowedHeaders());
         config.setAllowedMethods(stormpathCorsAllowedMethods());
+        config.setAllowCredentials(corsAllowCredentials);
         source.registerCorsConfiguration("/**", config);
         return new CorsFilter(source);
     }

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ class SpecConfigVersusWebPropertiesTest {`
`85`	`85`	`specProperties.containsKey(k) ? null : k`
`86`	`86`	`}`
`87`	`87`
`88`		`- def expected_diff_size = 82`
	`88`	`+ def expected_diff_size = 83`
`89`	`89`
`90`	`90`	`if (diff.size != expected_diff_size) {`
`91`	`91`	`println "It looks like a property was added or removed from the Framework Spec or web.stormpath.properties."`
Original file line number	Diff line number	Diff line change
`@@ -1018,13 +1018,19 @@`
`1018`	`1018`	`"name": "stormpath.web.cors.allowed.headers",`
`1019`	`1019`	`"type": "java.lang.String",`
`1020`	`1020`	`"description": "Comma separated list of allowed headers for a CORS request.",`
`1021`		`- "defaultValue": "Content-Type,Accept,X-Requested-With,remember-me"`
	`1021`	`+ "defaultValue": "Content-Type,Accept,X-Requested-With,remember-me,authorization,x-stormpath-agent"`
`1022`	`1022`	`},`
`1023`	`1023`	`{`
`1024`	`1024`	`"name": "stormpath.web.cors.allowed.methods",`
`1025`	`1025`	`"type": "java.lang.String",`
`1026`	`1026`	`"description": "Comma separated list of allowed methods for a CORS request.",`
`1027`	`1027`	`"defaultValue": "POST,GET,OPTIONS,DELETE,PUT"`
	`1028`	`+ },`
	`1029`	`+ {`
	`1030`	`+ "name": "stormpath.web.cors.allow.credentials",`
	`1031`	`+ "type": "java.lang.Boolean",`
	`1032`	`+ "description": "Whether user credentials are supported.",`
	`1033`	`+ "defaultValue": true`
`1028`	`1034`	`}`
`1029`	`1035`	`]`
`1030`	`1036`	`}`
Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,7 @@ public AuthenticationEntryPoint stormpathAuthenticationEntryPoint() {`
`119`	`119`	`* @since 1.3.0`
`120`	`120`	`*/`
`121`	`121`	`@Bean`
	`122`	`+ @Override`
`122`	`123`	`public CorsConfigurationSource corsConfigurationSource() {`
`123`	`124`	`return super.corsConfigurationSource();`
`124`	`125`	`}`