[ISSUE #13951] Add configurable CORS filter for console module

[zhan7236]

Please do not create a Pull Request without creating an issue first.

What is the purpose of the change

Add configurable CORS filter support for Nacos console module to allow administrators to customize CORS settings through configuration files, addressing security concerns where unrestricted CORS is considered a high-risk vulnerability in security scan reports.

Brief changelog

• Add ConsoleCorsConfig class for managing CORS configurations (extends AbstractDynamicConfig)
• Update ConsoleWebConfig.corsFilter() to use configurable CORS settings
• Add 5 configuration properties in application.properties:
  • nacos.console.cors.allow-credentials (default: true)
  • nacos.console.cors.allowed-headers (default: allow all)
  • nacos.console.cors.max-age (default: 18000)
  • nacos.console.cors.allowed-methods (default: allow all)
  • nacos.console.cors.allowed-origins (default: allow all)
• Add unit tests for ConsoleCorsConfig and ConsoleWebConfig
• Maintain backward compatibility with default settings

Verifying this change

• Added unit tests ConsoleCorsConfigTest with 3 test cases covering default and custom configurations
• Added test case corsFilterWithCustomConfiguration() in ConsoleWebConfigTest
• Manual verification:
  • Without configuration: CORS behaves as before (allow all)
  • With configuration: CORS follows custom restrictions

---

Follow this checklist to help us incorporate your contribution quickly and easily:

• Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue. Issue 建议nacos 控制台模块的跨域过滤器 增加可配置功能 #13951
• Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
• Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
• Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in test module.
• Run mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true to make sure basic checks pass. Run mvn clean install -DskipITs to make sure unit-test pass. Run mvn clean test-compile failsafe:integration-test to make sure integration-test pass. (Will be verified by CI)

[github-actions]

Thanks for your this PR. 🙏
Please check again for your PR changes whether contains any usage/api/configuration change such as Add new API , Add new configuration, Change default value of configuration.
If so, please add or update documents(markdown type) in docs/next/ for repository nacos-group/nacos-group.github.io

---

感谢您提交的PR。 🙏
请再次查看您的PR内容，确认是否包含任何使用方式/API/配置参数的变更，如：新增API、新增配置参数、修改默认配置等操作。
如果是，请确保在提交之前，在仓库nacos-group/nacos-group.github.io中的docs/next/目录下添加或更新文档（markdown格式）。

[CLAassistant]

All committers have signed the CLA.

[KomachiSion]

Is need use dynmaic config to set?

I think this config only load in start up phase. Even change value during running, the CorsFilter will not read and effect new config value.

[zhan7236]

Agreed. Since the filter initializes only once, dynamic updates won't work anyway. I've removed AbstractDynamicConfig and simplified it to a plain POJO. I will push the updated code shortly.

[wuyfee]

$\color{red}{FAILURE}$
DETAILS
✅ - docker: success
❌ - deploy (standalone & cluster & standalone_auth): failure
❌ - e2e-java-test (standalone & cluster & standalone_auth): skipped
❌ - e2e-go-test (standalone & cluster): skipped
❌ - e2e-cpp-test (standalone & cluster): skipped
❌ - e2e-csharp-test (standalone & cluster): skipped
❌ - e2e-nodejs-test (standalone & cluster): skipped
❌ - e2e-python-test (standalone & cluster): skipped
✅ - clean (standalone & cluster & standalone_auth): success