Fix CORS support

When retrieving the OIDC metadata via an AJAX request, I noticed that the CORS support is broken.

The default Spring web `corsFilter` does not use the CAS `corsHttpWebRequestConfigurationSource`.

This PR fixes the issue and adds a Puppeteer test.

ci/tests/puppeteer/scenarios/oidc-login-jwt-hmac/script.js → ci/tests/puppeteer/scenarios/oidc-login-jwt-hmac-metadata-cors/script.js

@@ -1,5 +1,7 @@
 const assert = require("assert");
 const cas = require("../../cas.js");
+const axios = require("axios");
+const https = require("https");
 
 (async () => {
     const privateKey = "enTHR15K28p0N6f404HaC9Vp1cfIBgQiHhmbgBiO7UHEnSiNJudxtDhPQNFjFQtOVSjEYu0pr5yxEeBAiO6IlA";
@@ -28,4 +30,36 @@ const cas = require("../../cas.js");
         throw `Operation failed: ${error}`;
     });
 
+    const discoveryUrl = "https://localhost:8443/cas/oidc/.well-known";
+    await cas.log(`Calling discovery URL ${discoveryUrl}`);
+    await doOptions(discoveryUrl, {
+        "Content-Type": "application/json",
+        "Origin": "https://myapp:4200",
+        "Host": "localhost:8443",
+        "Access-Control-Request-Method": "GET",
+        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
+    },
+    (res) => {
+        assert(res.status === 200);
+    },
+    (error) => {
+        throw `Operation failed: ${error}`;
+    });
+
 })();
+
+async function doOptions(url, headers, successHandler, failureHandler) {
+    const instance = axios.create({
+        timeout: 8000,
+        httpsAgent: new https.Agent({
+            rejectUnauthorized: false
+        })
+    });
+    const config = {
+        headers: headers
+    };
+    return instance
+        .options(url, config)
+        .then((res) => successHandler(res))
+        .catch((error) => failureHandler(error));
+}

ci/tests/puppeteer/scenarios/oidc-login-jwt-hmac/script.json → ci/tests/puppeteer/scenarios/oidc-login-jwt-hmac-metadata-cors/script.json

@@ -1,6 +1,8 @@
 {
   "dependencies": "oidc",
-
+  "conditions": {
+    "docker": "true"
+  },
   "properties": [
     "--cas.server.name=https://localhost:8443",
     "--cas.server.prefix=${cas.server.name}/cas",
@@ -10,7 +12,10 @@
     "--cas.service-registry.json.location=file:${PWD}/ci/tests/puppeteer/scenarios/${SCENARIO}/services",
 
     "--cas.authn.oidc.core.issuer=https://localhost:8443/cas/oidc",
-    "--cas.authn.oidc.jwks.file-system.jwks-file=file:${#systemProperties['java.io.tmpdir']}/keystore.jwks"
+    "--cas.authn.oidc.jwks.file-system.jwks-file=file:${#systemProperties['java.io.tmpdir']}/keystore.jwks",
+
+    "--cas.http-web-request.cors.enabled=true",
+    "--cas.http-web-request.cors.allow-origins[0]=https://myapp:4200"
   ],
   "initScript": "${PWD}/ci/tests/puppeteer/scenarios/${SCENARIO}/init.sh"
 }

support/cas-server-support-webconfig/src/main/java/org/apereo/cas/config/CasFiltersConfiguration.java

@@ -172,17 +172,12 @@ public CorsConfigurationSource corsHttpWebRequestConfigurationSource(
         }
 
         @Bean
-        @ConditionalOnMissingBean(name = "casCorsFilter")
+        @ConditionalOnMissingBean(name = "corsFilter")
         @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
-        public FilterRegistrationBean<CorsFilter> casCorsFilter(
-            final CasConfigurationProperties casProperties,
-            @Qualifier("corsHttpWebRequestConfigurationSource") final CorsConfigurationSource corsHttpWebRequestConfigurationSource) {
-            val bean = new FilterRegistrationBean<>(new CorsFilter(corsHttpWebRequestConfigurationSource));
-            bean.setName("casCorsFilter");
-            bean.setAsyncSupported(true);
-            bean.setOrder(0);
-            bean.setEnabled(casProperties.getHttpWebRequest().getCors().isEnabled());
-            return bean;
+        public CorsFilter corsFilter(
+                final CasConfigurationProperties casProperties,
+                @Qualifier("corsHttpWebRequestConfigurationSource") final CorsConfigurationSource corsHttpWebRequestConfigurationSource) {
+            return new CorsFilter(corsHttpWebRequestConfigurationSource);
         }
 
     }