CORS filter: Allow setting CORS_ALLOW_HEADERS and CORS_ALLOW_ORIGIN v…

…ia env vars

WEB-INF/classes/gov/noaa/pfel/erddap/http/CorsResponseFilter.java

@@ -1,27 +1,73 @@
 package gov.noaa.pfel.erddap.http;
 
+import com.cohort.util.String2;
 import gov.noaa.pfel.erddap.util.EDStatic;
 import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.annotation.WebFilter;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.List;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
 
 /** Add CORS headers to the response if EDStatic.enableCors is true. */
 @WebFilter("/*")
 public class CorsResponseFilter implements Filter {
+  private static final String ALLOW_HEADERS =
+      System.getenv()
+          .getOrDefault(
+              "CORS_ALLOW_HEADERS",
+              "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent");
+  private static final List<String> ALLOW_ORIGIN =
+      String2.splitToArrayList(System.getenv("CORS_ALLOW_ORIGIN"), ',');
+
   @Override
   public void doFilter(
       ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
       throws IOException, ServletException {
     if (EDStatic.enableCors) {
+      HttpServletRequest request = (HttpServletRequest) servletRequest;
       HttpServletResponse response = (HttpServletResponse) servletResponse;
-      response.setHeader("Access-Control-Allow-Origin", "*");
+      String requestOrigin = StringUtils.trim(request.getHeader("Origin"));
+      if (requestOrigin != null && requestOrigin.equalsIgnoreCase("null")) {
+        requestOrigin = null;
+      }
+
+      if (CollectionUtils.isEmpty(ALLOW_ORIGIN)) {
+        // If ALLOW_ORIGIN is not set, any origin is allowed
+        if (String2.isSomething(requestOrigin)) {
+          response.setHeader("Access-Control-Allow-Origin", requestOrigin);
+        } else {
+          response.setHeader("Access-Control-Allow-Origin", "*");
+        }
+      } else {
+        // If ALLOW_ORIGIN is set, make sure the request origin was provided and is in the
+        // ALLOW_ORIGIN list
+        if (String2.isSomething(requestOrigin)) {
+          if (ALLOW_ORIGIN.contains(requestOrigin)) {
+            response.setHeader("Access-Control-Allow-Origin", requestOrigin);
+          } else {
+            response.setHeader(
+                "Access-Control-Allow-Origin", requestOrigin + ".origin-not-allowed.invalid");
+          }
+        } else {
+          response.setHeader("Access-Control-Allow-Origin", "https://origin-not-provided.invalid");
+        }
+      }
+
       response.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
-      response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+      response.setHeader("Access-Control-Allow-Headers", ALLOW_HEADERS);
+
+      if (request.getMethod().equalsIgnoreCase("OPTIONS")) {
+        response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+        response.setHeader("Access-Control-Max-Age", "7200");
+        return;
+      }
     }
     filterChain.doFilter(servletRequest, servletResponse);
   }

WEB-INF/web.xml

@@ -39,9 +39,11 @@ Use netcat to test if this works:
   <web-resource-collection>
     <web-resource-name>restricted methods</web-resource-name>
     <url-pattern>/*</url-pattern>
-    <http-method>TRACE</http-method>
-    <http-method>PUT</http-method>
-    <http-method>DELETE</http-method>
+    <!-- list allowed methods, all others are restricted -->
+    <http-method-omission>GET</http-method-omission>
+    <http-method-omission>HEAD</http-method-omission>
+    <http-method-omission>OPTIONS</http-method-omission>
+    <http-method-omission>POST</http-method-omission>
   </web-resource-collection>
   <auth-constraint />
 </security-constraint>

docker-compose.yml

@@ -11,6 +11,7 @@ services:
       ERDDAP_MEMORY: "${ERDDAP_MEMORY:-4g}"
       ERDDAP_baseUrl: "http://${ERDDAP_HOST:-localhost}:${ERDDAP_PORT:-8080}"
       ERDDAP_enableCors: "true"
+      #CORS_ALLOW_ORIGIN: "https://some-allowed-domain.com,http://this-one-also.org:8080"
     mem_limit: "${ERDDAP_CONTAINER_MEM_LIMIT:-6g}"
   logs:
     image: debian:bookworm-slim