CorsConfiguration based on pattern matching

[korektur]

Is your feature request related to a problem? Please describe.
Gateway can has multiple underlying services and numerous services using it as an entry point into those services. In case of browser preflight request it does make sense to have global cors policy definde on gateway level and respond to them directly from gateway instead of routing those to underlying services. However in case where there are many services calling gateway it makes it hard to keep track of all possible origins that are required to be defined for that configuration. If it's an internal gateway that is supposed to be accepting requests only from other firm services it makes sense to just specify something like ".companyHost.com" and accept all requests with origin that ends with this host.

Describe the solution you'd like
I suggest implementing a new CorsConfiguration, that will override method checkOrigin to use pattern matching, something like:

for (String allowedOrigin : this.allowedOrigins) {
	if (requestOrigin.endsWith(allowedOrigin)) {
		return requestOrigin;
	}
}

Since CORS header specification forbids to return something like "*.companyHost.com", and requires either a "*" or a full host name, in this case we'll return a request origin which would be a full host name.

Describe alternatives you've considered
Considered allowed origing as a "*" but this wouldn't work in case when credentials are passed. Also as mentioned earlier specifying list of all possible origins calling gateway is not a good option in case when it's a widely used service, it will also make it more dificult to onboard new services.

[tony-clarke-amdocs]

Trying to understand. Is the issue that you would prefer more flexibility with the allowed-origins header? Rather than having to have configuration for a.y.z, b.y.z, c.y.z...you would rather have one configuration for *.y.z? If that is the case, do you know any other reverse proxy that allows such configuration?

[korektur]

@tony-clarke-amdocs yes that's correct. For example vert.x CorsHandler suipports that: https://github.com/vert-x3/vertx-web/blob/5cd7ecaa6bead1b246b5327537ee9b82c22187bc/vertx-web/src/main/java/io/vertx/ext/web/handler/CorsHandler.java#L42
Also, I think Kong supports pattern based origins as well.

I ended up extending Spring CorsConfiguration within my api gateway instance, but ideally I would like this functionality to be implemented withing spring.
Happy to make a pull request with this change, however I am not sure if it should be done in gateway or some other core spring library. I think gateway will benefit from this change a lot since often there are multiple origins calling it.

[tony-clarke-amdocs]

I think Spring supports * to allow all origins but not *.y.z. I suspect there is a good reason for this. I guess @rstoyanchev would be able to comment here.

[rstoyanchev]

I am not aware of any reasons why we do not have pattern support other than "*" (permit all).

[spencergibb]

Looks like this should be a feature request in framework then. I can't transfer this since the projects are in different orgs. @korektur please open a new issue there and link to this one.

[korektur]

Opened an issue in framework: spring-projects/spring-framework#24763