diff --git a/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties b/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties index 6cc822b80597cb..10c86a915bd04c 100644 --- a/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties +++ b/extensions/reactive-routes/deployment/src/test/resources/conf/cors-config.properties @@ -1,3 +1,4 @@ quarkus.http.cors=true +quarkus.http.cors.origins=* # whitespaces added to test that they are not taken into account config is parsed quarkus.http.cors.methods=GET, OPTIONS, POST diff --git a/extensions/resteasy-classic/resteasy/deployment/src/test/resources/cors-config.properties b/extensions/resteasy-classic/resteasy/deployment/src/test/resources/cors-config.properties index aa8d0000a7867e..3f6f798ab006f6 100644 --- a/extensions/resteasy-classic/resteasy/deployment/src/test/resources/cors-config.properties +++ b/extensions/resteasy-classic/resteasy/deployment/src/test/resources/cors-config.properties @@ -1 +1,2 @@ -quarkus.http.cors=true \ No newline at end of file +quarkus.http.cors=true +quarkus.http.cors.origins=* diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java index 6b60a1b8ee6209..8117bf00dbd573 100644 --- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSSecurityTestCase.java @@ -22,6 +22,7 @@ public class CORSSecurityTestCase { private static final String APP_PROPS = "" + "quarkus.http.cors=true\n" + + "quarkus.http.cors.origins=*\n" + "quarkus.http.cors.methods=GET, OPTIONS, POST\n" + "quarkus.http.auth.basic=true\n" + "quarkus.http.auth.policy.r1.roles-allowed=test\n" + diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java index 0170bc71864842..0cbda431190ef3 100644 --- a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java @@ -22,6 +22,7 @@ public class CORSWildcardSecurityTestCase { private static final String APP_PROPS = "" + "quarkus.http.cors=true\n" + + "quarkus.http.cors.origins=*\n" + "quarkus.http.auth.basic=true\n" + "quarkus.http.auth.policy.r1.roles-allowed=test\n" + "quarkus.http.auth.permission.roles1.paths=/test\n" + diff --git a/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties b/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties index 59bdec217dfd2d..6e587318d781dc 100644 --- a/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties +++ b/extensions/vertx-http/deployment/src/test/resources/conf/cors-config.properties @@ -1,4 +1,5 @@ quarkus.http.cors=true +quarkus.http.cors.origins=* # whitespaces added to test that they are not taken into account config is parsed quarkus.http.cors.methods=GET, OPTIONS, POST quarkus.http.cors.access-control-allow-credentials=true diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java index d98820d59c099d..4b2a57fd22573a 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSConfig.java @@ -18,9 +18,6 @@ public class CORSConfig { * Comma separated list of valid URLs, e.g.: http://www.quarkus.io,http://localhost:3000 * In case an entry of the list is surrounded by forward slashes, * it is interpreted as a regular expression. - * The filter allows any origin if this is not set. - * - * default: returns any requested origin as valid */ @ConfigItem @ConvertWith(TrimmedStringConverter.class) diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java index c5b476789e1883..dc370ddf356866 100644 --- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java +++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java @@ -54,6 +54,10 @@ public static boolean isConfiguredWithWildcard(Optional> optionalLi return list.isEmpty() || (list.size() == 1 && "*".equals(list.get(0))); } + private static boolean isOriginConfiguredWithWildcard(List origins) { + return origins.size() == 1 && "*".equals(origins.get(0)); + } + /** * Parse the provided allowed origins for any regexes * @@ -178,8 +182,9 @@ public void handle(RoutingContext event) { processRequestedHeaders(response, requestedHeaders); } - boolean allowsOrigin = isConfiguredWithWildcard(corsConfig.origins) || corsConfig.origins.get().contains(origin) - || isOriginAllowedByRegex(allowedOriginsRegex, origin); + boolean allowsOrigin = !corsConfig.origins.isEmpty() + && (isOriginConfiguredWithWildcard(corsConfig.origins.get()) || corsConfig.origins.get().contains(origin) + || isOriginAllowedByRegex(allowedOriginsRegex, origin)); if (allowsOrigin) { response.headers().set(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, origin); diff --git a/integration-tests/oidc-code-flow/src/main/resources/application.properties b/integration-tests/oidc-code-flow/src/main/resources/application.properties index dece21ad567dde..b5a1b12c80a9b1 100644 --- a/integration-tests/oidc-code-flow/src/main/resources/application.properties +++ b/integration-tests/oidc-code-flow/src/main/resources/application.properties @@ -166,6 +166,7 @@ quarkus.http.auth.permission.post-logout.paths=/tenant-logout/post-logout quarkus.http.auth.permission.post-logout.policy=permit quarkus.http.cors=true +quarkus.http.cors.origins=* quarkus.http.auth.proactive=false quarkus.http.proxy.enable-forwarded-prefix=true quarkus.http.proxy.allow-forwarded=true diff --git a/integration-tests/oidc-tenancy/src/main/resources/application.properties b/integration-tests/oidc-tenancy/src/main/resources/application.properties index 20a4673716dab9..0feca34bdff52a 100644 --- a/integration-tests/oidc-tenancy/src/main/resources/application.properties +++ b/integration-tests/oidc-tenancy/src/main/resources/application.properties @@ -1,4 +1,5 @@ quarkus.http.cors=true +quarkus.http.cors.origins=* quarkus.oidc.token-cache.max-size=3 @@ -116,4 +117,4 @@ quarkus.native.additional-build-args=-H:IncludeResources=.*\\.pem quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthenticationMechanism".min-level=TRACE -quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthenticationMechanism".level=TRACE \ No newline at end of file +quarkus.log.category."io.quarkus.oidc.runtime.CodeAuthenticationMechanism".level=TRACE