kbss-cvut · blcham · Nov 28, 2023 · Nov 22, 2023 · Nov 28, 2023
diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
@@ -113,15 +113,17 @@ private static void configureAllowedOrigins(CorsConfiguration corsConfig, Config
         final List<String> allowedOrigins = new ArrayList<>();
         appUrlOrigin.ifPresent(allowedOrigins::add);
         final String allowedOriginsConfig = config.getConfig(ConfigParam.CORS_ALLOWED_ORIGINS);
-        allowedOrigins.addAll(Arrays.asList(allowedOriginsConfig.split(",")));
+        Arrays.stream(allowedOriginsConfig.split(",")).filter(s -> !s.isBlank()).forEach(allowedOrigins::add);
         if (!allowedOrigins.isEmpty()) {
             corsConfig.setAllowedOrigins(allowedOrigins);
             corsConfig.setAllowCredentials(true);
-            LOG.debug(
-                "Using response header Access-Control-Allow-Origin with value {}.",
-                corsConfig.getAllowedOrigins()
-            );
+        } else {
+            corsConfig.setAllowedOrigins(null);
         }
+        LOG.debug(
+            "Using response header Access-Control-Allow-Origin with value {}.",
+            corsConfig.getAllowedOrigins()
+        );
     }
 
     private static Optional<String> getApplicationUrlOrigin(ConfigReader configReader) {

diff --git a/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java b/src/test/java/cz/cvut/kbss/study/config/SecurityConfigTest.java
@@ -1,5 +1,6 @@
 package cz.cvut.kbss.study.config;
 
+import cz.cvut.kbss.study.exception.RecordManagerException;
 import cz.cvut.kbss.study.service.ConfigReader;
 import cz.cvut.kbss.study.util.ConfigParam;
 import org.junit.jupiter.api.Test;
@@ -11,6 +12,8 @@
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasItems;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 class SecurityConfigTest {
 
@@ -55,4 +58,14 @@ void createCorsConfigurationSupportsMultipleConfiguredAllowedOrigins() {
         assertThat(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins(),
                    hasItems(originOne, originTwo, originThree));
     }
+
+    @Test
+    void createCorsConfigurationDoNotSetAllowedOriginsWhenAppContextAndAllowedOriginsAreNotSet() {
+        environment.setProperty(ConfigParam.APP_CONTEXT.toString(), "");
+        environment.setProperty(ConfigParam.CORS_ALLOWED_ORIGINS.toString(),"");
+
+        final CorsConfigurationSource result = SecurityConfig.createCorsConfiguration(config);
+        assertNotNull(result.getCorsConfiguration(new MockHttpServletRequest()));
+        assertNull(result.getCorsConfiguration(new MockHttpServletRequest()).getAllowedOrigins());
+    }
 }