From b2c601000a44cf51c226f52c213063f02de70731 Mon Sep 17 00:00:00 2001
From: thenatog <thenatog@gmail.com>
Date: Thu, 13 Sep 2018 21:45:00 -0400
Subject: [PATCH] NIFI-5595 - Added the CORS filter to the templates/upload
 endpoint using a URL matcher. Explicitly allow methods GET, HEAD. These are
 the Spring defaults when the allowedMethods is empty but now it is explicit.
 This will require other methods like POST etc to be from the same origin (for
 the template/upload URL).

This closes #3024.

Signed-off-by: Andy LoPresto <alopresto@apache.org>
---
 .../web/NiFiWebApiSecurityConfiguration.java     | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
index 8d76bf3a6540a..d7fd89b40423d 100644
--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
+++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.java
@@ -43,6 +43,11 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.Arrays;
 
 /**
  * NiFi Web Api Spring security
@@ -89,6 +94,7 @@ public void configure(WebSecurity webSecurity) throws Exception {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
+                .cors().and()
                 .rememberMe().disable()
                 .authorizeRequests()
                     .anyRequest().fullyAuthenticated()
@@ -112,6 +118,16 @@ protected void configure(HttpSecurity http) throws Exception {
         http.anonymous().authenticationFilter(anonymousFilterBean());
     }
 
+
+    @Bean
+    CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+        configuration.setAllowedMethods(Arrays.asList("HEAD", "GET"));
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/process-groups/*/templates/upload", configuration);
+        return source;
+    }
+
     @Bean
     @Override
     public AuthenticationManager authenticationManagerBean() throws Exception {