Regex in @CrossOrigin SpringBoot

Question

I am trying to define origins which are to be allowed to execute a REST Service. I am working on Java(1.8), SpringBoot (1.5.9). I have tried to implement CORS in 2 ways:

@CrossOrigin(origins = "http://localhost:8080")
@RequestMapping(value="/questions")
public String readCSV() throws IOException, URISyntaxException  {
    /** Some Logic **/
    return str;
}

OR

@Configuration
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {    
    String origins = "http://localhost:8080";       
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedMethods("GET", "PUT", "POST")
                .allowedOrigins(origins)
                .maxAge(3600);
        super.addCorsMappings(registry);
    }
}

Both the above cases works. But I want to change that http://localhost:8080 to some meaningful regex, which will match to some particular domain name, but the subdoamin name and the port number may vary.
For example, let's say the desired domain name is innovation.com and few accepted urls would be we.innovation.com:8081, my.innovation.com:8090 etc.
The problem is, whenever I put some regex instead of the static URLs, it throws CORS error and is not allowed to access the service. Even in the case when I used regex which allows any valid url, it blocks localhost:8080.
I have tried regex like:
^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+innovation.com(:\d{2,4})
^https?://(?:[^./@]+\.)*domain\.com(?![^/])
^(http[s]:\/\/)?([A-Za-z0-9-]{1,63}\\.)+innovation.com(:\d{2,4})

Answer 1

One solution would be extending the spring cors configuration, there is a method called checkOrigin, which could be rewritten to handle regular expressions: https://github.com/spring-projects/spring-framework/blob/master/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java#L425-L455

Luckily someone did that already: https://github.com/looorent/spring-security-jwt/blob/master/src/main/java/be/looorent/security/jwt/RegexCorsConfiguration.java

Answer 2

As of Spring Boot 2.4.x or Spring 5.3, CorsRegistration can add origin as a pattern. See CorsRegistration#allowedOriginPatterns

Answer 3

This is possible using config.setAllowedPatterns(List.of("http://*.localhost:4200")); See the diff it's setAllowedPatterns not setAllowedOrigins

Sample code:

@Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("https://yourowndomain.com"));
        configuration.setAllowedOriginPatterns(Arrays.asList("https://*.otherdomain.com"));
        configuration.setAllowedMethods(
                Arrays.asList(HttpMethod.GET.toString(), HttpMethod.POST.toString(), HttpMethod.DELETE.toString()));
        configuration.setMaxAge(Duration.ofMillis(3600));
        configuration.setAllowedHeaders(
                Arrays.asList(HttpHeaders.AUTHORIZATION, HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }