Configuration of CORS within the docker image not possible?

[motey]

Hey there, i need to provide a setup to run a local test instance of Atlas and the WebAPI for my colleagues.

All seems straight forward thanks to the great documentation around OHDSI 💟

But i am stuck at disabling CORS in the ohdsi/webapi docker image.

This is my docker-compose.yml

services:
  # Atlas service, running Nginx to serve the Javascript files.
  atlas:
    image: ohdsi/atlas
    environment:
      WEBAPI_URL: http://localhost:8081/WebAPI/
      ATLAS_HOSTNAME: localhost:8080
    ports:
      - 8080:8080

  # WebAPI service, running Nginx to serve the Javascript files.
  webapi:
    image: ohdsi/webapi
    ports:
      - 8081:8080
    volumes:
      - ./WebAPIConfig:/var/lib/ohdsi/webapi/WebAPIConfig
    environment:
      - JAVA_OPTS=-Xmx4g -Dsecurity.cors.enabled=false -Dsecurity.origin=*
      - CLASSPATH=":/var/lib/ohdsi/webapi/drivers/*"
      - WEBAPI_URL=http://localhost:8081
      # Specify Spring settings. Any Spring setting that is set in `pom.xml` or your own
      # settings.xml can be replaced with a variable in this list. Replace the periods (.) 
      # in the variable name with underscores (_)
      - env=webapi-postgresql
      - datasource_driverClassName=org.postgresql.Driver
      - datasource_url=jdbc:postgresql://postgres:5432/${POSTGRES_USER}
      - datasource_ohdsi_schema=ohdsi
      - datasource_username=${POSTGRES_USER}
      - datasource_password=${POSTGRES_PASSWORD}
      - spring_jpa_properties_hibernate_default__schema=ohdsi
      - spring_jpa_properties_hibernate_dialect=org.hibernate.dialect.PostgreSQLDialect
      - spring_batch_repository_tableprefix=ohdsi.BATCH_
      - flyway_datasource_driverClassName=org.postgresql.Driver
      - flyway_datasource_url=jdbc:postgresql://postgres:5432/${POSTGRES_USER}
      - flyway_schemas=ohdsi
      - flyway_placeholders_ohdsiSchema=ohdsi
      - flyway_datasource_username=${POSTGRES_USER}
      - flyway_datasource_password=${POSTGRES_PASSWORD}
      - flyway_locations=classpath:db/migration/postgresql
      - SECURITY_CORS_ENABLED="true"
      - SECURITY_ORIGIN="*"
      - security_ssl_enabled="false"
  postgres:
    image: postgres:15
    restart: always
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_PASSWORD=${POSTGRES_ROOT_PASSWORD}
      - POSTGRES_USER=${POSTGRES_USER}
      - POSTGRES_DB=${POSTGRES_USER}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
      - POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8
    volumes:
      - ./data/postgres:/var/lib/postgresql/data

Just for completeness also the .env file

POSTGRES_ROOT_PASSWORD=changeme
POSTGRES_USER=changeme
POSTGRES_PASSWORD=changeme

When i run a docker compose up -d and visit http://localhost:8080/atlas/ the Atlas client initialized but will fail with a Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8081/WebAPI/notifications?hide_statuses=. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing) Error message in the console.

What I have tried so far?

1. all reasonable combinations of the env var settings

      - SECURITY_CORS_ENABLED="false"
      - SECURITY_ORIGIN="*"
      - security_ssl_enabled="false"

      - SECURITY_CORS_ENABLED="true"
      - SECURITY_ORIGIN="*"
      - security_ssl_enabled="false"

      - SECURITY_CORS_ENABLED="true"
      - SECURITY_ORIGIN="http://localhost:8080"
      - security_ssl_enabled="false"

I tried it with quotes, no quotes and env var names in upper case and lower case

2. I tried to mount a settings.xml into /var/lib/ohdsi/webapi/WebAPIConfig

<?xml version="1.0" encoding="UTF-8"?>
<settings>
  <profiles>
   <profile>
    <id>webapi-postgresql</id>
    <properties>
      <security.provider>DisabledSecurity</security.provider>
      <security.origin>*</security.origin>
      <security.ssl.enabled>false</security.ssl.enabled>
      <security.cors.enabled>false</security.cors.enabled>
    </properties> 
  </profile>     
  </profiles>
</settings>

(I actually dont know if it was parsed. There was no "settings.xml" in the logs. As i Python dev, I am very bad at interpreting Java/Springboot/ApacheShiro logs. i always experience them as very confusing :D )

3. Disable CORS it via JAVA_OPTS with JAVA_OPTS=-Xmx4g -Dsecurity.cors.enabled=false -Dsecurity.origin=*

I am at a point where i feel stupid. Am i doing it wrong or is it just not possible with the docker image (if yes, why? Any workarounds?)

I am aware of the possibility of building the image locally with a static config. I haven't tried that yet. I want to have a very simple setup for my colleagues. Also, in my view, this defeats the purpose of a docker images (if we need to rebuild the image to reconfigure the runtime config. )

I appreciate any hints 💓