From 4e613f066c64c3a9570091d646e520f842af71c3 Mon Sep 17 00:00:00 2001 From: OmarAitBenaissa Date: Mon, 27 Apr 2026 17:47:49 +0200 Subject: [PATCH 1/2] feat(core): migrate to allowedOriginPatterns for credentialed CORS to prevent wildcard + credentials conflicts and allows controlled subdomain matching. Signed-off-by: OmarAitBenaissa --- .../adapters/api/configuration/CorsProperties.java | 6 +++++- .../api/configuration/SecurityConfiguration.java | 12 +++++++++++- src/main/resources/application.yml | 6 +++++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java index 19124e5..e81360a 100644 --- a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java +++ b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/CorsProperties.java @@ -7,9 +7,13 @@ /// Type-safe CORS configuration properties bound from `spring.web.cors`. @ConfigurationProperties(prefix = "spring.web.cors") public record CorsProperties( - List allowedOrigins + List allowedOrigins, + List allowedOriginPatterns ) { public CorsProperties { + if (allowedOriginPatterns == null) { + allowedOriginPatterns = List.of(); + } if (allowedOrigins == null) { allowedOrigins = List.of(); } diff --git a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java index 8105a5d..bbcab5b 100644 --- a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java +++ b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java @@ -54,7 +54,17 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) { @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); - configuration.setAllowedOrigins(corsProperties.allowedOrigins()); + + // Exact origins (no wildcard, safe with allowCredentials) + if (!corsProperties.allowedOrigins().isEmpty()) { + configuration.setAllowedOrigins(corsProperties.allowedOrigins()); + } + + // Pattern-based origins (supports wildcards, e.g. https://*.decathlon.io) + if (!corsProperties.allowedOriginPatterns().isEmpty()) { + configuration.setAllowedOriginPatterns(corsProperties.allowedOriginPatterns()); + } + configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS")); configuration.setAllowedHeaders(List.of("*")); configuration.setAllowCredentials(true); diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 4b9adad..0137923 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -5,8 +5,12 @@ spring: # Disables serving of static resources (HTML, JS, CSS, images). add-mappings: false cors: - # URLs allowed to make cross-origin API calls, set via SPRING_WEB_CORS_ALLOWED_ORIGINS env var (comma-separated list). + # Exact origins — set via SPRING_WEB_CORS_ALLOWED_ORIGINS env var (comma-separated). + # Use for known, fixed origins. allowed-origins: ${SPRING_WEB_CORS_ALLOWED_ORIGINS:} + # Pattern-based origins — set via SPRING_WEB_CORS_ALLOWED_ORIGIN_PATTERNS env var (comma-separated). + # Supports wildcards, e.g. https://*.decathlon.io. Compatible with allowCredentials(true). + allowed-origin-patterns: ${SPRING_WEB_CORS_ALLOWED_ORIGIN_PATTERNS:} jackson: # Serializes all JSON fields as snake_case (for example templateIdentifier → template_identifier). From a94ce8a5ef08567b886d4c6791f34f45846e3528 Mon Sep 17 00:00:00 2001 From: OmarAitBenaissa Date: Tue, 12 May 2026 16:39:55 +0200 Subject: [PATCH 2/2] feat(cors): update CORS configuration to remove wildcard support and enhance security with allowedOriginPatterns Signed-off-by: OmarAitBenaissa --- .../adapters/api/configuration/SecurityConfiguration.java | 1 - src/main/resources/application.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java index bbcab5b..9242ef9 100644 --- a/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java +++ b/src/main/java/com/decathlon/idp_core/infrastructure/adapters/api/configuration/SecurityConfiguration.java @@ -60,7 +60,6 @@ public CorsConfigurationSource corsConfigurationSource() { configuration.setAllowedOrigins(corsProperties.allowedOrigins()); } - // Pattern-based origins (supports wildcards, e.g. https://*.decathlon.io) if (!corsProperties.allowedOriginPatterns().isEmpty()) { configuration.setAllowedOriginPatterns(corsProperties.allowedOriginPatterns()); } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 0137923..fac3c27 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -9,7 +9,6 @@ spring: # Use for known, fixed origins. allowed-origins: ${SPRING_WEB_CORS_ALLOWED_ORIGINS:} # Pattern-based origins — set via SPRING_WEB_CORS_ALLOWED_ORIGIN_PATTERNS env var (comma-separated). - # Supports wildcards, e.g. https://*.decathlon.io. Compatible with allowCredentials(true). allowed-origin-patterns: ${SPRING_WEB_CORS_ALLOWED_ORIGIN_PATTERNS:} jackson: