Skip to content

Commit 5c5f8e9

Browse files
goljajacopoc
authored andcommitted
Improved: Add CORS origins configuration for API security policy
(cherry picked from commit e44355a)
1 parent d0d01d8 commit 5c5f8e9

2 files changed

Lines changed: 23 additions & 0 deletions

File tree

framework/base/src/main/java/org/apache/ofbiz/base/util/UtilMisc.java

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -616,6 +616,21 @@ public static List<String> getHostHeadersAllowed() {
616616
return hostHeadersAllowed;
617617
}
618618

619+
/**
620+
* List of allowed origins for the API CORS policy, read from the
621+
* {@code cors.origins.allowed} property in security.properties.
622+
* Each entry must be a full origin (scheme + host + optional port),
623+
* e.g. {@code https://app.example.com}.
624+
* @return unmodifiable list of allowed CORS origins, or null if the property is empty
625+
*/
626+
public static List<String> getCorsOriginsAllowed() {
627+
String corsOriginsAllowedString = UtilProperties.getPropertyValue("security", "cors.origins.allowed");
628+
if (UtilValidate.isEmpty(corsOriginsAllowedString)) {
629+
return null;
630+
}
631+
return Collections.unmodifiableList(StringUtil.split(corsOriginsAllowedString, ","));
632+
}
633+
619634
/**
620635
* @deprecated use Thread.sleep()
621636
*/

framework/security/config/security.properties

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -193,6 +193,14 @@ content.data.url.resource.max.response.size=10485760
193193
# -- no spaces after commas,no wildcard, can be extended of course...
194194
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-next.ofbiz.apache.org,demo-trunk.ofbiz-test.apache.org,demo-stable-test.ofbiz.apache.org,demo-next.ofbiz-test.apache.org
195195

196+
# -- Allowed origins for the API CORS policy (Access-Control-Allow-Origin).
197+
# -- Comma-separated list of origins (scheme + host + optional port), no spaces after commas, no wildcards.
198+
# -- Only requests whose Origin header exactly matches one of these values will receive
199+
# -- an Access-Control-Allow-Origin response header echoing that origin.
200+
# -- Requests from unlisted origins will not receive the header and will be blocked by the browser.
201+
# -- Example: cors.origins.allowed=https://app.example.com,https://admin.example.com
202+
cors.origins.allowed=
203+
196204
# -- By default the SameSite value in SameSiteFilter is 'strict'.
197205
# -- This property allows to change to 'lax' if needed.
198206
# -- If you use 'lax' we recommend that you set

0 commit comments

Comments
 (0)