Metaform · paullatzelsperger · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026
diff --git a/src/main/java/com/metaformsystems/redline/config/SecurityConfig.java b/src/main/java/com/metaformsystems/redline/config/SecurityConfig.java
@@ -2,6 +2,9 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -13,6 +16,9 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import java.util.Collection;
 import java.util.List;
@@ -38,6 +44,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                 .sessionManagement(session -> session
                         .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                 )
+                .cors(Customizer.withDefaults())
                 .csrf(AbstractHttpConfigurer::disable);
 
         // Allow H2 console in frames (dev only)
@@ -46,6 +53,20 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         return http.build();
     }
 
+    @Bean
+    @Profile("dev")
+    CorsConfigurationSource corsConfigurationSource(@Value("${app.cors.allowed-origins}") String allowedOrigins) {
+
+        var config = new CorsConfiguration();
+        config.setAllowedOrigins(List.of(allowedOrigins));
+        config.setAllowedMethods(List.of("GET","POST","PUT","PATCH","DELETE","OPTIONS"));
+        config.setAllowedHeaders(List.of("Authorization","Content-Type","x-requested-with"));
+
+        var source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/api/ui/**", config);
+        return source;
+    }
+
     @Bean
     public JwtAuthenticationConverter jwtAuthenticationConverter() {
         JwtAuthenticationConverter converter = new JwtAuthenticationConverter();

diff --git a/src/main/java/com/metaformsystems/redline/controller/RedlineController.java b/src/main/java/com/metaformsystems/redline/controller/RedlineController.java
@@ -1,5 +1,6 @@
 package com.metaformsystems.redline.controller;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.metaformsystems.redline.client.management.dto.Catalog;
 import com.metaformsystems.redline.client.management.dto.TransferProcess;
 import com.metaformsystems.redline.dao.Contract;
@@ -17,32 +18,35 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.media.Content;
+import io.swagger.v3.oas.annotations.media.Encoding;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestPart;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.IOException;
 import java.time.Instant;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 /**
  * Main API controller for the Redline UI
  */
 @RestController
-@RequestMapping("/api/ui")
+@RequestMapping(value = "/api/ui", produces = "application/json")
 @Tag(name = "Redline UI", description = "UI API for managing dataspaces, service providers, tenants, and participants")
 public class RedlineController {
     private final ServiceProviderService serviceProviderService;
@@ -96,7 +100,6 @@ public ResponseEntity<ServiceProviderResource> createServiceProvider(@RequestBod
             @ApiResponse(responseCode = "404", description = "Service provider not found")
     })
     @Parameter(name = "serviceProviderId", description = "Database ID of the service provider", required = true)
-    @Parameter(name = "registration", description = "Tenant registration details", required = true)
     public ResponseEntity<TenantResource> registerTenant(
             @PathVariable Long serviceProviderId,
             @RequestBody NewTenantRegistration registration) {
@@ -195,11 +198,12 @@ public ResponseEntity<List<PartnerReferenceResource>> getPartners(@PathVariable
     public ResponseEntity<Void> uploadFile(@PathVariable Long participantId,
                                            @PathVariable Long tenantId,
                                            @PathVariable Long providerId,
-                                           @RequestPart("metadata") Map<String, Object> metadata,
+                                           @RequestPart("metadata") String metadata,
                                            @RequestPart("file") MultipartFile file) {
 
         try {
-            tenantService.uploadFileForParticipant(participantId, metadata, file.getInputStream(), file.getContentType(), file.getOriginalFilename());
+            HashMap<String, Object> metadataMap = new ObjectMapper().readValue(metadata, HashMap.class);
+            tenantService.uploadFileForParticipant(participantId, metadataMap, file.getInputStream(), file.getContentType(), file.getOriginalFilename());
         } catch (IOException e) {
             return ResponseEntity.internalServerError().build();
         }
@@ -232,7 +236,6 @@ public ResponseEntity<List<FileResource>> listFiles(@PathVariable Long participa
             @ApiResponse(responseCode = "400", description = "Invalid counter-party identifier"),
             @ApiResponse(responseCode = "404", description = "Service provider, tenant, or participant not found")
     })
-    @Parameter(name = "cacheControl", description = "Cache control directive", required = false)
     @Parameter(name = "providerId", description = "Database ID of the service provider", required = true)
     @Parameter(name = "tenantId", description = "Database ID of the tenant", required = true)
     @Parameter(name = "participantId", description = "Database ID of the participant", required = true)

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -34,6 +34,11 @@ springdoc:
 tenant-manager:
   url: ${TENANT_MANAGER_URL:http://localhost:8082}
 
+
+app:
+  cors:
+    allowed-origins: http://localhost:4200
+
 ---
 # Development Profile with H2
 spring:

diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
@@ -21,3 +21,7 @@ spring:
         jwt:
           issuer-uri: http://localhost:8080/realms/test
           jwk-set-uri: http://localhost:8080/realms/test/protocol/openid-connect/certs
+
+app:
+  cors:
+    allowed-origins: "*"