From 57b4dac94f20cd55e1f5591f2d687089bd5d7a73 Mon Sep 17 00:00:00 2001
From: Miroslav Blasko <blcham@gmail.com>
Date: Tue, 28 Nov 2023 22:30:52 +0100
Subject: [PATCH] [#13] Empty origins should not result in *

---
 .../java/cz/cvut/kbss/study/config/SecurityConfig.java | 10 ++++++----
 .../cz/cvut/kbss/study/config/SecurityConfigTest.java  |  9 +++++----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
index 0d1f6e7b..a46bf110 100644
--- a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
+++ b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
@@ -117,11 +117,13 @@ private static void configureAllowedOrigins(CorsConfiguration corsConfig, Config
         if (!allowedOrigins.isEmpty()) {
             corsConfig.setAllowedOrigins(allowedOrigins);
             corsConfig.setAllowCredentials(true);
-            LOG.debug(
-                "Using response header Access-Control-Allow-Origin with value {}.",
-                corsConfig.getAllowedOrigins()
-            );
+        } else {
+            corsConfig.setAllowedOrigins(null);
         }
+        LOG.debug(
+            "Using response header Access-Control-Allow-Origin with value {}.",
+            corsConfig.getAllowedOrigins()
+        );
     }
 
     private static Optional<String> getApplicationUrlOrigin(ConfigReader configReader) {
diff --git a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java
index be91719a..6ea26851 100644
--- a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java
+++ b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java
@@ -12,6 +12,7 @@
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasItems;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 class SecurityConfigTest {
@@ -59,12 +60,12 @@ void createCorsConfigurationSupportsMultipleConfiguredAllowedOrigins() {
     }
 
     @Test
-    void createCorsConfigurationThrowsRecordManagerExceptionWhenAppContextAndAllowedOriginsAreNotSet() {
+    void createCorsConfigurationDoNotSetAllowedOriginsWhenAppContextAndAllowedOriginsAreNotSet() {
         environment.setProperty(ConfigParam.APP_CONTEXT.toString(), "");
         environment.setProperty(ConfigParam.CORS_ALLOWED_ORIGINS.toString(),"");
 
-        assertThrows(RecordManagerException.class, () -> {
-            SecurityConfig.createCorsConfiguration(config);
-        });
+        final CorsConfigurationSource result = SecurityConfig.createCorsConfiguration(config);
+        assertNotNull(result.getCorsConfiguration(new MockHttpServletRequest()));
+        assertNull(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins());
     }
 }
\ No newline at end of file