[ISSUE #13951] Add configurable CORS filter for console module (#13966)

zhan7236 · web-flow · commit 19b24f5ef548 · 2025-11-26T09:30:35.000+08:00
* [ISSUE #13951] Add configurable CORS filter for console module - Add ConsoleCorsConfig class for managing CORS configurations - Update ConsoleWebConfig to use configurable CORS settings - Add configuration properties in application.properties - Add unit tests for ConsoleCorsConfig and ConsoleWebConfig - Maintain backward compatibility with default settings * trigger ci * [ISSUE #13951] Simplify ConsoleCorsConfig implementation
diff --git a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleCorsConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleCorsConfig.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright 1999-2025 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.config;
+
+import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.sys.env.EnvUtil;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Nacos console cors configurations.
+ *
+ * @author zhan7236
+ */
+public class ConsoleCorsConfig {
+    
+    private static final String CONSOLE_CORS_PREFIX = "nacos.console.cors.";
+    
+    private static final String ALLOW_CREDENTIALS_KEY = CONSOLE_CORS_PREFIX + "allow-credentials";
+    
+    private static final String ALLOWED_HEADERS_KEY = CONSOLE_CORS_PREFIX + "allowed-headers";
+    
+    private static final String MAX_AGE_KEY = CONSOLE_CORS_PREFIX + "max-age";
+    
+    private static final String ALLOWED_METHODS_KEY = CONSOLE_CORS_PREFIX + "allowed-methods";
+    
+    private static final String ALLOWED_ORIGINS_KEY = CONSOLE_CORS_PREFIX + "allowed-origins";
+    
+    private static final boolean DEFAULT_ALLOW_CREDENTIALS = true;
+    
+    private static final long DEFAULT_MAX_AGE = 18000L;
+    
+    private final boolean allowCredentials;
+    
+    private final List<String> allowedHeaders;
+    
+    private final long maxAge;
+    
+    private final List<String> allowedMethods;
+    
+    private final List<String> allowedOrigins;
+    
+    public ConsoleCorsConfig() {
+        this.allowCredentials = EnvUtil.getProperty(ALLOW_CREDENTIALS_KEY, Boolean.class, DEFAULT_ALLOW_CREDENTIALS);
+        this.allowedHeaders = parseListProperty(ALLOWED_HEADERS_KEY);
+        this.maxAge = EnvUtil.getProperty(MAX_AGE_KEY, Long.class, DEFAULT_MAX_AGE);
+        this.allowedMethods = parseListProperty(ALLOWED_METHODS_KEY);
+        this.allowedOrigins = parseListProperty(ALLOWED_ORIGINS_KEY);
+    }
+    
+    private List<String> parseListProperty(String key) {
+        String value = EnvUtil.getProperty(key, "");
+        if (StringUtils.isNotBlank(value)) {
+            return Arrays.asList(value.split(","));
+        }
+        return Collections.emptyList();
+    }
+    
+    public boolean isAllowCredentials() {
+        return allowCredentials;
+    }
+    
+    public List<String> getAllowedHeaders() {
+        return allowedHeaders;
+    }
+    
+    public long getMaxAge() {
+        return maxAge;
+    }
+    
+    public List<String> getAllowedMethods() {
+        return allowedMethods;
+    }
+    
+    public List<String> getAllowedOrigins() {
+        return allowedOrigins;
+    }
+    
+    @Override
+    public String toString() {
+        return "ConsoleCorsConfig{" + "allowCredentials=" + allowCredentials + ", allowedHeaders=" + allowedHeaders
+                + ", maxAge=" + maxAge + ", allowedMethods=" + allowedMethods + ", allowedOrigins=" + allowedOrigins
+                + '}';
+    }
+}
diff --git a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleWebConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleWebConfig.java
@@ -65,11 +65,24 @@ public void init() {
     @Bean
     public CorsFilter corsFilter() {
         CorsConfiguration config = new CorsConfiguration();
-        config.setAllowCredentials(true);
-        config.addAllowedHeader("*");
-        config.setMaxAge(18000L);
-        config.addAllowedMethod("*");
-        config.addAllowedOriginPattern("*");
+        ConsoleCorsConfig corsConfig = new ConsoleCorsConfig();
+        config.setAllowCredentials(corsConfig.isAllowCredentials());
+        if (corsConfig.getAllowedHeaders().isEmpty()) {
+            config.addAllowedHeader("*");
+        } else {
+            config.setAllowedHeaders(corsConfig.getAllowedHeaders());
+        }
+        config.setMaxAge(corsConfig.getMaxAge());
+        if (corsConfig.getAllowedMethods().isEmpty()) {
+            config.addAllowedMethod("*");
+        } else {
+            config.setAllowedMethods(corsConfig.getAllowedMethods());
+        }
+        if (corsConfig.getAllowedOrigins().isEmpty()) {
+            config.addAllowedOriginPattern("*");
+        } else {
+            config.setAllowedOrigins(corsConfig.getAllowedOrigins());
+        }
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", config);
         return new CorsFilter(source);
diff --git a/console/src/test/java/com/alibaba/nacos/console/config/ConsoleCorsConfigTest.java b/console/src/test/java/com/alibaba/nacos/console/config/ConsoleCorsConfigTest.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 1999-2025 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.config;
+
+import com.alibaba.nacos.sys.env.EnvUtil;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.core.env.ConfigurableEnvironment;
+import org.springframework.mock.env.MockEnvironment;
+
+import java.util.Arrays;
+import java.util.Collections;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * ConsoleCorsConfig test.
+ */
+class ConsoleCorsConfigTest {
+    
+    private ConfigurableEnvironment cachedEnvironment;
+    
+    @BeforeEach
+    void setUp() {
+        cachedEnvironment = EnvUtil.getEnvironment();
+    }
+    
+    @AfterEach
+    void tearDown() {
+        EnvUtil.setEnvironment(cachedEnvironment);
+    }
+    
+    @Test
+    void testDefaultConfiguration() {
+        MockEnvironment environment = new MockEnvironment();
+        EnvUtil.setEnvironment(environment);
+        
+        ConsoleCorsConfig config = new ConsoleCorsConfig();
+        
+        assertTrue(config.isAllowCredentials());
+        assertEquals(Collections.emptyList(), config.getAllowedHeaders());
+        assertEquals(18000L, config.getMaxAge());
+        assertEquals(Collections.emptyList(), config.getAllowedMethods());
+        assertEquals(Collections.emptyList(), config.getAllowedOrigins());
+    }
+    
+    @Test
+    void testCustomConfiguration() {
+        MockEnvironment environment = new MockEnvironment();
+        environment.setProperty("nacos.console.cors.allow-credentials", "false");
+        environment.setProperty("nacos.console.cors.allowed-headers", "Content-Type,Authorization");
+        environment.setProperty("nacos.console.cors.max-age", "3600");
+        environment.setProperty("nacos.console.cors.allowed-methods", "GET,POST,PUT");
+        environment.setProperty("nacos.console.cors.allowed-origins", "http://localhost:8080,https://example.com");
+        EnvUtil.setEnvironment(environment);
+        
+        ConsoleCorsConfig config = new ConsoleCorsConfig();
+        
+        assertFalse(config.isAllowCredentials());
+        assertEquals(Arrays.asList("Content-Type", "Authorization"), config.getAllowedHeaders());
+        assertEquals(3600L, config.getMaxAge());
+        assertEquals(Arrays.asList("GET", "POST", "PUT"), config.getAllowedMethods());
+        assertEquals(Arrays.asList("http://localhost:8080", "https://example.com"), config.getAllowedOrigins());
+    }
+    
+    @Test
+    void testToString() {
+        MockEnvironment environment = new MockEnvironment();
+        EnvUtil.setEnvironment(environment);
+        
+        ConsoleCorsConfig config = new ConsoleCorsConfig();
+        String result = config.toString();
+        
+        assertTrue(result.contains("ConsoleCorsConfig"));
+        assertTrue(result.contains("allowCredentials=true"));
+        assertTrue(result.contains("maxAge=18000"));
+    }
+}
diff --git a/console/src/test/java/com/alibaba/nacos/console/config/ConsoleWebConfigTest.java b/console/src/test/java/com/alibaba/nacos/console/config/ConsoleWebConfigTest.java
@@ -81,6 +81,21 @@ void corsFilter() {
         assertNotNull(consoleWebConfig.corsFilter());
     }
     
+    @Test
+    void corsFilterWithCustomConfiguration() {
+        MockEnvironment environment = new MockEnvironment();
+        environment.setProperty(Constants.Auth.NACOS_CORE_AUTH_ADMIN_ENABLED, "false");
+        environment.setProperty("nacos.console.cors.allow-credentials", "false");
+        environment.setProperty("nacos.console.cors.allowed-headers", "Content-Type");
+        environment.setProperty("nacos.console.cors.max-age", "3600");
+        environment.setProperty("nacos.console.cors.allowed-methods", "GET,POST");
+        environment.setProperty("nacos.console.cors.allowed-origins", "http://localhost:8080");
+        EnvUtil.setEnvironment(environment);
+        
+        assertNotNull(consoleWebConfig.corsFilter());
+        EnvUtil.setEnvironment(cachedEnvironment);
+    }
+    
     @Test
     void xssFilter() {
         assertNotNull(consoleWebConfig.xssFilter());
diff --git a/distribution/conf/application.properties b/distribution/conf/application.properties
@@ -54,6 +54,25 @@ management.metrics.export.influx.enabled=false
 #management.metrics.export.influx.consistency=one
 #management.metrics.export.influx.compressed=true
 
+#*************** Console Related Configurations ***************#
+
+### CORS (Cross-Origin Resource Sharing) configurations for console
+### Whether to allow credentials (cookies, authorization headers, TLS client certificates)
+# nacos.console.cors.allow-credentials=true
+
+### Allowed headers, comma separated. Empty means allow all headers (*)
+# nacos.console.cors.allowed-headers=
+
+### Maximum age (in seconds) of the CORS preflight request cache
+# nacos.console.cors.max-age=18000
+
+### Allowed HTTP methods, comma separated. Empty means allow all methods (*)
+# nacos.console.cors.allowed-methods=
+
+### Allowed origins, comma separated. Empty means allow all origin patterns (*)
+### Example: nacos.console.cors.allowed-origins=http://localhost:8080,https://example.com
+# nacos.console.cors.allowed-origins=
+
 #*************** Core Related Configurations ***************#
 
 ### set the WorkerID manually
