diff --git a/gateway/src/main/java/org/georchestra/gateway/security/GatewaySecurityConfiguration.java b/gateway/src/main/java/org/georchestra/gateway/security/GatewaySecurityConfiguration.java index 14940e35..95bcfb37 100644 --- a/gateway/src/main/java/org/georchestra/gateway/security/GatewaySecurityConfiguration.java +++ b/gateway/src/main/java/org/georchestra/gateway/security/GatewaySecurityConfiguration.java @@ -66,10 +66,6 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http, List customizers) throws Exception { log.info("Initializing security filter chain..."); - // disable csrf and cors or the websocket connection gets a 403 Forbidden. - // Revisit. - log.info("CSRF and CORS disabled. Revisit how they interfer with Websockets proxying."); - http.csrf().disable().cors().disable(); http.formLogin() .authenticationFailureHandler(new ExtendedRedirectServerAuthenticationFailureHandler("login?error")) diff --git a/gateway/src/main/resources/application.yml b/gateway/src/main/resources/application.yml index 38b8e450..c91fb705 100644 --- a/gateway/src/main/resources/application.yml +++ b/gateway/src/main/resources/application.yml @@ -10,12 +10,12 @@ server: port: 8080 compression.enabled: true # HTTP/2 is only supported over TLS (HTTPS) - # So we need to configure SSL if we want to support HTTP/2 + # So we need to configure SSL if we want to support HTTP/2 http2.enabled: ${server.ssl.enabled} ssl: enabled: false #TODO: configure SSL with a self-signed certificate - + spring: config: import: optional:file:${georchestra.datadir}/default.properties,optional:file:${georchestra.datadir}/gateway/gateway.yaml,optional:file:${georchestra.datadir}/gateway/security.yaml @@ -32,6 +32,17 @@ spring: enabled: true global-filter.websocket-routing.enabled: true metrics.enabled: true + # Uncomment the following to allow cross-origin requests from any methods + # coming from anywhere. + # See https://docs.spring.io/spring-cloud-gateway/reference/spring-cloud-gateway/cors-configuration.html + # for more infos. + #globalcors: + # cors-configurations: + # '[/**]': + # allowedOrigins: "*" + # allowedHeaders: "*" + # allowedMethods: "*" + default-filters: - SecureHeaders - TokenRelay