From 07147247d08ba2f3a3b84d1893de5261f82bff14 Mon Sep 17 00:00:00 2001 From: Federica Agostini Date: Fri, 22 Mar 2024 14:24:28 +0100 Subject: [PATCH] Enable CORS also on well-known endpoint (#725) --- .../mw/iam/config/security/CorsConfig.java | 19 +++++++++--------- .../config/security/MitreSecurityConfig.java | 20 +++++++++++++++++++ .../src/main/resources/application.yml | 5 +++-- 3 files changed, 33 insertions(+), 11 deletions(-) diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/security/CorsConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/security/CorsConfig.java index 3e2895a19..83f65223d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/security/CorsConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/security/CorsConfig.java @@ -27,17 +27,18 @@ public class CorsConfig { private static final String[] CORS_ENDPOINT_MATCHERS = // @formatter:off { - "/api/**", - "/resource/**", + "/api/**", + "/resource/**", "/register/**", - "/iam/**", - "/scim/**", - "/token", - "/introspect", - "/userinfo", - "/revoke/**", + "/iam/**", + "/scim/**", + "/token", + "/introspect", + "/userinfo", + "/revoke/**", "/jwk", - "/devicecode" + "/devicecode", + "/.well-known/openid-configuration" }; //@formatter:on diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/config/security/MitreSecurityConfig.java b/iam-login-service/src/main/java/it/infn/mw/iam/config/security/MitreSecurityConfig.java index 28bd6363c..62abcacbe 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/config/security/MitreSecurityConfig.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/config/security/MitreSecurityConfig.java @@ -306,5 +306,25 @@ protected void configure(final HttpSecurity http) throws Exception { // @formatter:on } } + + @Configuration + @Order(28) + public static class WellKnownEndpointConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(final HttpSecurity http) throws Exception { + + // @formatter:off + http.antMatcher("/.well-known/openid-configuration") + .cors() + .and() + .sessionManagement() + .sessionCreationPolicy(STATELESS) + .and() + .authorizeRequests() + .antMatchers("/**").permitAll(); + // @formatter:on + } + } } diff --git a/iam-login-service/src/main/resources/application.yml b/iam-login-service/src/main/resources/application.yml index af44c8f26..e036256cc 100644 --- a/iam-login-service/src/main/resources/application.yml +++ b/iam-login-service/src/main/resources/application.yml @@ -90,13 +90,14 @@ spring: mvc: pathmatch: matching-strategy: "ant-path-matcher" + iam: host: ${IAM_HOST:localhost} baseUrl: ${IAM_BASE_URL:http://${iam.host}:8080} issuer: ${IAM_ISSUER:http://${iam.host}:8080} topbarTitle: ${IAM_TOPBAR_TITLE:INDIGO IAM for ${iam.organisation.name}} showSql: ${IAM_DATABASE_SHOW_SQL:false} - + jwk: keystore-location: ${IAM_KEY_STORE_LOCATION:classpath:keystore.jwks} default-key-id: ${IAM_JWK_DEFAULT_KEY_ID:rsa1} @@ -104,7 +105,7 @@ iam: default-jwe-encrypt-key-id: ${IAM_JWK_DEFAULT_JWE_ENCRYPT_KEY_ID:${iam.jwk.default-key-id}} default-jws-algorithm: ${IAM_JWK_DEFAULT_JWS_ALGORITHM:RS256} default-jwe-algorithm: ${IAM_JWT_DEFAULT_JWE_ALGORITHM:RSA_OAEP_256} - + jwt-profile: default-profile: ${IAM_JWT_DEFAULT_PROFILE:iam}