[webapp] set CORS response headers for supporting AJAX request.

scouter-project · Mar 2, 2018 · 2c621d9 · 2c621d9
1 parent d5e2be8
commit 2c621d9
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 14 deletions.
diff --git a/scouter.webapp/conf/scouterConfSample2.conf b/scouter.webapp/conf/scouterConfSample2.conf
@@ -6,3 +6,6 @@ net_collector_ip_port_id_pws=127.0.0.1:6100:admin:admin
 #net_collector_ip_port_id_pws=10.113.121.146:6100:admin:adminadmin
 #net_collector_ip_port_id_pws=10.40.18.190:6100:webapp:!webapp990909
 
+net_http_api_auth_bearer_token_enabled=true
+net_http_api_cors_allow_origin=*
+net_http_api_cors_allow_credentials=true
diff --git a/scouter.webapp/src/main/java/scouterx/webapp/framework/filter/CorsFilter.java b/scouter.webapp/src/main/java/scouterx/webapp/framework/filter/CorsFilter.java
@@ -27,32 +27,41 @@
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.HttpMethod;
 import java.io.IOException;
 
 public class CorsFilter implements Filter {
     ConfigureAdaptor conf;
 
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        //TODO why not added header?
+        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
         HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-        if (StringUtils.isNotBlank(conf.getNetHttpApiCorsAllowOrigin())) {
-            httpServletResponse.addHeader("Access-Control-Allow-Origin", conf.getNetHttpApiCorsAllowOrigin());
+
+        String allowOrigin = conf.getNetHttpApiCorsAllowOrigin();
+        String allowCredentials = conf.getNetHttpApiCorsAllowCredentials();
+
+        if (StringUtils.isNotBlank(allowOrigin)) {
+            if ("true".equals(allowCredentials) && "*".equals(allowOrigin)) {
+                String hostHeader = httpServletRequest.getHeader("origin");
+                if (StringUtils.isNotBlank(hostHeader)) {
+                    allowOrigin = hostHeader;
+                }
+            }
+            httpServletResponse.addHeader("Access-Control-Allow-Origin", allowOrigin);
+            httpServletResponse.addHeader("Access-Control-Allow-Credentials", allowCredentials);
+
             httpServletResponse.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-            httpServletResponse.addHeader("Access-Control-Allow-Credentials", conf.getNetHttpApiCorsAllowCredentials());
+            httpServletResponse.addHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE, PATCH");
+
+            if (httpServletRequest.getMethod().equals(HttpMethod.OPTIONS)) {
+                return;
+            }
         }
 
         chain.doFilter(request, response);
-
-//        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-//        if (StringUtils.isNotBlank(conf.getNetHttpApiCorsAllowOrigin())) {
-//            if (StringUtils.isBlank(httpServletResponse.getHeader("Access-Control-Allow-Origin"))) {
-//                httpServletResponse.addHeader("Access-Control-Allow-Origin", conf.getNetHttpApiCorsAllowOrigin());
-//                httpServletResponse.addHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-//                httpServletResponse.addHeader("Access-Control-Allow-Credentials", conf.getNetHttpApiCorsAllowCredentials());
-//            }
-//        }
     }
 
     @Override
@@ -63,4 +72,4 @@ public void destroy() {
     public void init(FilterConfig filterConfig) throws ServletException {
         conf = ConfigureManager.getConfigure();
     }
-}
+}