feat: CORS filter added, to support alternate gui

opal-core/src/main/resources/META-INF/defaults.properties

@@ -71,4 +71,8 @@ apps.discovery.interval = 10000
 
 # CSRF
 # allowed referers, comma separated <host:port>
-csrf.allowed=
+csrf.allowed=
+
+# CORS
+# use * as wildcard, separate origins with commas
+cors.allowed=

opal-httpd/src/main/java/org/obiba/opal/server/httpd/OpalJettyServer.java

@@ -21,6 +21,7 @@
 import org.eclipse.jetty.server.handler.gzip.GzipHandler;
 import org.eclipse.jetty.servlet.FilterHolder;
 import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlets.CrossOriginFilter;
 import org.eclipse.jetty.util.URIUtil;
 import org.eclipse.jetty.util.resource.PathResource;
 import org.eclipse.jetty.util.security.Constraint;
@@ -240,6 +241,17 @@ private void initEventListeners() {
   private void initFilters(Properties properties) {
     servletContextHandler.addFilter(OpalVersionFilter.class, "/*", EnumSet.of(REQUEST));
 
+    // Add the CrossOriginFilter
+    String corsAllowed = properties.getProperty("cors.allowed");
+    if (!Strings.isNullOrEmpty(corsAllowed)) {
+      FilterHolder cors = servletContextHandler.addFilter(CrossOriginFilter.class, "/*", EnumSet.of(REQUEST));
+      cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, corsAllowed);
+      cors.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM, "Content-Type,Access-Control-Allow-Origin");
+      cors.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM, "GET,POST,PUT,DELETE,OPTIONS");
+      cors.setInitParameter(CrossOriginFilter.EXPOSED_HEADERS_PARAM, "X-Opal-Version,Location,X-TOTP");
+      cors.setInitParameter(CrossOriginFilter.ALLOW_CREDENTIALS_PARAM, "true");
+    }
+
     initOIDCFilter(properties);
 
     FilterHolder authenticationFilterHolder = new FilterHolder(DelegatingFilterProxy.class);