fixed CORS support

src/main/java/ca/uhn/fhir/jpa/starter/HapiProperties.java

@@ -42,6 +42,7 @@ public class HapiProperties {
     static final String TESTER_CONFIG_REFUSE_TO_FETCH_THIRD_PARTY_URLS = "tester.config.refuse_to_fetch_third_party_urls";
     static final String CORS_ENABLED = "cors.enabled";
     static final String CORS_ALLOWED_ORIGIN = "cors.allowed_origin";
+    static final String CORS_ALLOWED_CREDENTIALS = "hapi.properties";
     static final String ALLOW_CONTAINS_SEARCHES = "allow_contains_searches";
     static final String ALLOW_OVERRIDE_DEFAULT_SEARCH_PARAMS = "allow_override_default_search_params";
     static final String EMAIL_FROM = "email.from";
@@ -323,4 +324,8 @@ public class HapiProperties {
         String value = HapiProperties.getProperty(REUSE_CACHED_SEARCH_RESULTS_MILLIS, "-1");
         return Long.valueOf(value);
     }
+
+    public static Boolean getCorsAllowedCredentials() {
+        return HapiProperties.getBooleanProperty(CORS_ALLOWED_CREDENTIALS, false);
+    }
 }

src/main/java/ca/uhn/fhir/jpa/starter/JpaRestfulServer.java

@@ -28,6 +28,7 @@ import ca.uhn.fhir.rest.server.interceptor.ResponseHighlighterInterceptor;
 import org.hl7.fhir.dstu3.model.Bundle;
 import org.hl7.fhir.dstu3.model.Meta;
 import org.springframework.context.ApplicationContext;
+import org.springframework.http.HttpHeaders;
 import org.springframework.web.cors.CorsConfiguration;
 
 import javax.servlet.ServletException;
@@ -185,18 +186,25 @@ public class JpaRestfulServer extends RestfulServer {
         // to your specific needs
         if (HapiProperties.getCorsEnabled()) {
             CorsConfiguration config = new CorsConfiguration();
+            config.addAllowedHeader(HttpHeaders.ORIGIN);
+            config.addAllowedHeader(HttpHeaders.ACCEPT);
+            config.addAllowedHeader(HttpHeaders.CONTENT_TYPE);
+            config.addAllowedHeader(HttpHeaders.AUTHORIZATION);
+            config.addAllowedHeader(HttpHeaders.CACHE_CONTROL);
             config.addAllowedHeader("x-fhir-starter");
-            config.addAllowedHeader("Origin");
-            config.addAllowedHeader("Accept");
             config.addAllowedHeader("X-Requested-With");
-            config.addAllowedHeader("Content-Type");
             config.addAllowedHeader("Prefer");
-
+            String allAllowedCORSOrigins = HapiProperties.getCorsAllowedOrigin();
+            Arrays.stream(allAllowedCORSOrigins.split(",")).forEach(o -> {
+                config.addAllowedOrigin(o);
+            });
             config.addAllowedOrigin(HapiProperties.getCorsAllowedOrigin());
 
             config.addExposedHeader("Location");
             config.addExposedHeader("Content-Location");
-            config.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
+            config.setAllowedMethods(
+                Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD"));
+            config.setAllowCredentials(HapiProperties.getCorsAllowedCredentials());
 
             // Create the interceptor and register it
             CorsInterceptor interceptor = new CorsInterceptor(config);

src/main/resources/hapi.properties

@@ -1,7 +1,7 @@
 # Adjust this to set the version of FHIR supported by this server. See
 # FhirVersionEnum for a list of available constants. Example values include
 # DSTU2, DSTU3, R4.
-fhir_version=R4
+fhir_version=DSTU3
 
 # This is the address that the FHIR server will report as its own address.
 # If this server will be deployed (for example) to an internet accessible
@@ -51,6 +51,9 @@ hibernate.search.default.indexBase=target/lucenefiles
 hibernate.search.lucene_version=LUCENE_CURRENT
 tester.config.refuse_to_fetch_third_party_urls=false
 cors.enabled=true
+cors.allowCredentials=true
+# Supports multiple, comma separated allowed origin entries
+# cors.allowed_origin=http://localhost:8080,https://localhost:8080,https://fhirtest.uhn.ca
 cors.allowed_origin=*
 
 ##################################################