2121 * The API Gateway applies CORS headers to all responses, so backend services should not
2222 * add CORS headers to avoid duplication.
2323 */
24- @ Component
24+ // @Component - DISABLED: CORS is handled by API Gateway
2525@ Order (Ordered .HIGHEST_PRECEDENCE )
2626public class CorsFilter implements Filter {
2727
@@ -37,8 +37,27 @@ public void init(FilterConfig filterConfig) {
3737 public void doFilter (ServletRequest request , ServletResponse response , FilterChain chain )
3838 throws IOException , ServletException {
3939
40- // CORS is handled by the API Gateway, so we skip CORS header injection here
41- // Just pass the request through without adding CORS headers
40+ HttpServletRequest httpRequest = (HttpServletRequest ) request ;
41+ HttpServletResponse httpResponse = (HttpServletResponse ) response ;
42+
43+ String origin = httpRequest .getHeader ("Origin" );
44+
45+ // If origin is present and allowed, add CORS headers
46+ if (origin != null && isOriginAllowed (origin )) {
47+ httpResponse .setHeader ("Access-Control-Allow-Origin" , origin );
48+ httpResponse .setHeader ("Access-Control-Allow-Methods" , "GET, POST, PUT, DELETE, OPTIONS, PATCH" );
49+ httpResponse .setHeader ("Access-Control-Allow-Headers" ,
50+ "Authorization, Content-Type, X-Requested-With, Accept, Origin, Access-Control-Request-Method, Access-Control-Request-Headers" );
51+ httpResponse .setHeader ("Access-Control-Allow-Credentials" , "true" );
52+ httpResponse .setHeader ("Access-Control-Max-Age" , "3600" );
53+ }
54+
55+ // Handle preflight OPTIONS requests
56+ if ("OPTIONS" .equalsIgnoreCase (httpRequest .getMethod ())) {
57+ httpResponse .setStatus (HttpServletResponse .SC_OK );
58+ return ;
59+ }
60+
4261 chain .doFilter (request , response );
4362 }
4463
0 commit comments