optin that allows cors request

commons/src/main/java/lcsb/mapviewer/common/Configuration.java

@@ -151,6 +151,11 @@ public final class Configuration {
    */
   private static List<String> xFrametDomain = new ArrayList<>();
 
+  /**
+   * Should CORS be disabled.
+   */
+  private static boolean disableCors = false;
+
   /**
    * Directory where tomcat webapp folder is located. Default value is "." because
    * it should be set to proper value when tomcat application is deployed and run.
@@ -438,4 +443,12 @@ public final class Configuration {
     Configuration.sessionLength = sessionLength;
   }
 
+  public static boolean isDisableCors() {
+    return disableCors;
+  }
+
+  public static void setDisableCors(boolean disableCors) {
+    Configuration.disableCors = disableCors;
+  }
+
 }

model/src/main/java/lcsb/mapviewer/model/user/ConfigurationElementType.java

@@ -90,7 +90,8 @@ public enum ConfigurationElementType {
   /**
    * Description of the right logo presented in the system.
    */
-  RIGHT_LOGO_TEXT("Right logo description", "LCSB - Luxembourg Centre for Systems Biomedicine", ConfigurationElementEditType.STRING, false,
+  RIGHT_LOGO_TEXT("Right logo description", "LCSB - Luxembourg Centre for Systems Biomedicine",
+      ConfigurationElementEditType.STRING, false,
       ConfigurationElementTypeGroup.LEGEND_AND_LOGO),
 
   /**
@@ -128,6 +129,12 @@ public enum ConfigurationElementType {
   X_FRAME_DOMAIN("Domain allowed to connect via x-frame technology", "", ConfigurationElementEditType.URL, false,
       ConfigurationElementTypeGroup.SERVER_CONFIGURATION),
 
+  /**
+   * Domain allowed to connect via x-frame technology.
+   */
+  CORS_DOMAIN("Disable CORS (when disabled 'ORIGIN' http header is required)", "false",
+      ConfigurationElementEditType.BOOLEAN, false, ConfigurationElementTypeGroup.SERVER_CONFIGURATION),
+
   /**
    * Relative directory (in webapps folder) where big files will be stored.
    */

service/src/main/java/lcsb/mapviewer/services/impl/ConfigurationService.java

@@ -95,6 +95,8 @@ public class ConfigurationService implements IConfigurationService {
       for (String domain : getConfigurationValue(ConfigurationElementType.X_FRAME_DOMAIN).split(";")) {
         Configuration.getxFrameDomain().add(domain);
       }
+    } else if (type.equals(ConfigurationElementType.CORS_DOMAIN)) {
+      Configuration.setDisableCors(value.equalsIgnoreCase("true"));
     } else if (type.equals(ConfigurationElementType.SESSION_LENGTH)) {
       Configuration.setSessionLength(Integer.valueOf(value));
     }

web/src/main/java/lcsb/mapviewer/web/bean/utils/JsfAjaxAccessControlAllowFilter.java

@@ -8,10 +8,13 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.log4j.Logger;
 
+import lcsb.mapviewer.common.Configuration;
+
 /**
  * This filter enables ajax queries from all domains. It should be used for
  * restfull API.
@@ -20,25 +23,32 @@ import org.apache.log4j.Logger;
  *
  */
 public class JsfAjaxAccessControlAllowFilter implements Filter {
-	/**
-	 * Default class logger.
-	 */
-	@SuppressWarnings("unused")
-	private final Logger logger = Logger.getLogger(JsfAjaxAccessControlAllowFilter.class);
-
-	@Override
-	public void init(FilterConfig config) throws ServletException {
-	}
-
-	@Override
-	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
-		HttpServletResponse response = (HttpServletResponse) res;
-		response.addHeader("Access-Control-Allow-Origin", "*");
-		chain.doFilter(req, response);
-	}
-
-	@Override
-	public void destroy() {
-	}
+  /**
+   * Default class logger.
+   */
+  @SuppressWarnings("unused")
+  private final Logger logger = Logger.getLogger(JsfAjaxAccessControlAllowFilter.class);
+
+  @Override
+  public void init(FilterConfig config) throws ServletException {
+  }
+
+  @Override
+  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+      throws IOException, ServletException {
+    HttpServletResponse response = (HttpServletResponse) res;
+    HttpServletRequest request = (HttpServletRequest) req;
+
+    String origin = request.getHeader("ORIGIN");
+    if (origin == null || origin.trim().isEmpty() || !Configuration.isDisableCors()) {
+      origin = "*";
+    }
+    response.setHeader("Access-Control-Allow-Origin", origin);
+    chain.doFilter(req, response);
+  }
+
+  @Override
+  public void destroy() {
+  }
 
 }

web/src/main/java/lcsb/mapviewer/web/bean/utils/StartupBean.java

@@ -62,8 +62,8 @@ public class StartupBean {
 
   @Autowired
   public StartupBean(IProjectService projectService,
-                     IConfigurationService configurationService,
-                     IReferenceGenomeService referenceGenomeService) {
+      IConfigurationService configurationService,
+      IReferenceGenomeService referenceGenomeService) {
     this.projectService = projectService;
     this.configurationService = configurationService;
     this.referenceGenomeService = referenceGenomeService;
@@ -82,6 +82,7 @@ public class StartupBean {
 
     setInterruptedProjectsStatuses();
     modifyXFrameDomain();
+    modifyCorsDomain();
     setSessionLength();
     removeInterruptedReferenceGenomeDownloads();
     logger.debug("Application startup script ends");
@@ -126,6 +127,15 @@ public class StartupBean {
     }
   }
 
+  private void modifyCorsDomain() {
+    try {
+      Configuration.setDisableCors(
+          configurationService.getConfigurationValue(ConfigurationElementType.CORS_DOMAIN).equalsIgnoreCase("true"));
+    } catch (Exception e) {
+      logger.error("Problem with modyfing cors...", e);
+    }
+  }
+
   /**
    * Removes downloads of reference genomes that were interrupted by tomcat
    * restart.