Load the cors header attributes from the config and not hard wired

Author: mbuckton

src/main/java/io/mapsmessaging/config/RestApiManagerConfig.java

@@ -23,8 +23,11 @@
 import io.mapsmessaging.configuration.ConfigurationProperties;
 import io.mapsmessaging.dto.rest.config.BaseConfigDTO;
 import io.mapsmessaging.dto.rest.config.RestApiManagerConfigDTO;
+import io.mapsmessaging.rest.handler.CorsHeaderManager;
 import io.mapsmessaging.utilities.configuration.ConfigurationManager;
 import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
 import lombok.NoArgsConstructor;
 
 @NoArgsConstructor
@@ -63,6 +66,16 @@ private RestApiManagerConfig(ConfigurationProperties properties) {
     if (properties.containsKey("static")) {
       this.staticConfig = new StaticConfig((ConfigurationProperties) properties.get("static"));
     }
+
+    corsHeaders = CorsHeaderManager.getInstance().getCorsHeaders();
+    if(properties.containsKey("corsHeaders")) {
+      Map<String, Object> corsHeadersProp = ((ConfigurationProperties) properties.get("corsHeaders")).getMap();
+      for(Map.Entry<String, Object> entry : corsHeadersProp.entrySet()) {
+        String key = entry.getKey();
+        String value = entry.getValue().toString();
+        corsHeaders.addHeader(key, value);
+      }
+    }
   }
 
   @Override
@@ -146,7 +159,8 @@ public ConfigurationProperties toConfigurationProperties() {
     if (this.staticConfig != null) {
       properties.put("static", this.staticConfig.toConfigurationProperties());
     }
-
+    Map<String, Object> corsHeadersProp = new HashMap<>(CorsHeaderManager.getInstance().getCorsHeaders().getHeaders());
+    properties.put("corsHeaders", corsHeadersProp);
     return properties;
   }
 

src/main/java/io/mapsmessaging/dto/rest/config/RestApiManagerConfigDTO.java

@@ -20,6 +20,7 @@
 
 import io.mapsmessaging.config.network.impl.TlsConfig;
 import io.mapsmessaging.config.rest.StaticConfig;
+import io.mapsmessaging.rest.handler.CorsHeaders;
 import io.swagger.v3.oas.annotations.media.Schema;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
@@ -87,4 +88,8 @@ public class RestApiManagerConfigDTO extends BaseConfigDTO {
 
   @Schema(description = "Static configuration", implementation = StaticConfig.class)
   protected StaticConfig staticConfig;
+
+  @Schema(description = "CORS headers", implementation = CorsHeaders.class)
+  protected CorsHeaders corsHeaders;
+
 }

src/main/java/io/mapsmessaging/rest/handler/CorsEnabledStaticHttpHandler.java

@@ -24,16 +24,13 @@
 
 public class CorsEnabledStaticHttpHandler extends StaticHttpHandler {
 
-  private final CorsHeaders corsHeaders;
-
   public CorsEnabledStaticHttpHandler(String... docRoots) {
     super(docRoots);
-    corsHeaders = new CorsHeaders();
   }
 
   @Override
   protected boolean handle(String uri, Request request, Response response) throws Exception {
-    corsHeaders.updateResponseHeaders(response);
+    CorsHeaderManager.getInstance().getCorsHeaders().updateResponseHeaders(response);
     return super.handle(uri, request, response);
   }
 }

src/main/java/io/mapsmessaging/rest/handler/CorsFilter.java

@@ -26,10 +26,8 @@
 @Provider
 public class CorsFilter implements ContainerResponseFilter {
 
-  private final CorsHeaders corsHeaders = new CorsHeaders();
-
   @Override
   public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
-    corsHeaders.addFilter(responseContext);
+    CorsHeaderManager.getInstance().getCorsHeaders().addFilter(responseContext);
   }
 }

src/main/java/io/mapsmessaging/rest/handler/CorsHeaderManager.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright [ 2020 - 2024 ] [Matthew Buckton]
+ * Copyright [ 2024 - 2024 ] [Maps Messaging B.V.]
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package io.mapsmessaging.rest.handler;
+
+
+import lombok.Getter;
+
+@SuppressWarnings("java:S6548") // yes it is a singleton
+@Getter
+public class CorsHeaderManager {
+
+  private static class Holder {
+    static final CorsHeaderManager INSTANCE = new CorsHeaderManager();
+  }
+
+  public static CorsHeaderManager getInstance() {
+    return Holder.INSTANCE;
+  }
+
+  private final CorsHeaders corsHeaders;
+
+  private CorsHeaderManager() {
+    corsHeaders = new CorsHeaders();
+  }
+
+}

src/main/java/io/mapsmessaging/rest/handler/CorsHeaders.java

@@ -21,20 +21,21 @@
 import jakarta.ws.rs.container.ContainerResponseContext;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
+import lombok.Data;
 import org.glassfish.grizzly.http.server.Response;
 
+@Data
 public class CorsHeaders {
 
   private final Map<String, String> headers;
 
   public CorsHeaders() {
     headers = new ConcurrentHashMap<>();
-    headers.put("Access-Control-Allow-Origin", "*"); // Use "*" or specific domain
-    headers.put("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
-    headers.put("Access-Control-Allow-Headers", "Content-Type, Authorization");
-    headers.put("Access-Control-Allow-Credentials", "true"); // Include if using cookies or authentication
   }
 
+  public void addHeader(String header, String value) {
+    headers.put(header, value);
+  }
 
   public void updateResponseHeaders(Response response) {
     for(Map.Entry<String, String> header:headers.entrySet()) {

src/main/resources/RestApi.yaml

@@ -70,3 +70,9 @@ RestApi:
   static:
     enabled: true
     directory: "{{MAPS_HOME}}/www/dist"
+
+  corsHeaders:
+    Access-Control-Allow-Origin: "*"
+    Access-Control-Allow-Methods: "GET, POST, PUT, DELETE, OPTIONS"
+    Access-Control-Allow-Headers: "Content-Type, Authorization"
+    Access-Control-Allow-Credentials: "true"