CORS Filter Configuration

For security reasons, browsers commonly apply a same-origin restriction to network requests that prevent a web application running in one domain from retrieving data from other domains. CORS (Cross-Origin Resource Sharing) is a mechanism for circumventing this restriction in a secure way. If your Live Center presentation web service is deployed in a different domain from the Live Center web application then it will not be able to access any data unless you explicitly give it permission by configuring the Live Center CORS filter.

The CORS mechanism is based on the concept of a pre-flight request. Before making a cross-domain request, a browser first sends a pre-flight request to find out what kinds of requests the host will respond to. The host then returns a pre-flight response in which it specifies which domains it will accept requests from, and what kinds of requests (which HTTP methods, headers and so on) it will respond to. The Live Center CORS filter allows you to specify what is returned in Live Center pre-flight responses.

To configure the CORS filter:

  1. Copy CorsFilter.properties from the plug-in installation into your webapp configuration layer (not the common configuration layer):

    $ cp /opt/escenic/engine/plugins/live-center/misc/siteconfig/com/escenic/livecenter/presentation/filter/cors/CorsFilter.properties \
> /etc/escenic/engine/webapp/live-center-presentation-webservice/com/escenic/livecenter/presentation/filter/cors/CorsFilter.properties

  2. Open the copied CorsFilter.properties for editing and set the following properties:

    allowedOrigins

    A comma-separated list of origins that are to be granted access to Live Center resources. An origin is a URL protocol identifier plus a domain name (for example http://www.w3.org or https://www.apache.org. The default setting of * grants access to all domains. In order to restrict access to your presentation web service only, specify the web service's origin. For example:

    allowedOrigins=https://mypresentationdomain.com

    If you wish more than one presentation web service to be able to access Live Center resources, then you can specify several origins:

    allowedOrigins=https://mypresentationdomain.com,http://myotherdomain.org
    allowedHttpMethods

    A comma-separated list of HTTP methods such as GET and POST that can be used to access resources. The specified methods are returned in the pre-flight response's Access-Control-Allow-Methods header.

    The default setting is:

    allowedHttpMethods=GET,POST,HEAD,OPTIONS
    allowedHttpHeaders

    A comma-separated list of HTTP request headers such as Origin and Accept that can be used in cross-origin requests. The specified headers are returned in the pre-flight response's Access-Control-Allow-Headers header.

    The default setting is:

    allowedHttpHeaders=Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers
    exposedHeaders

    A comma-separated list of HTTP response headers that may be exposed to the browser. The specified headers are returned in the pre-flight response's Access-Control-Expose-Headers header.

    There is no default setting for this parameter.

    supportsCredentials

    A flag indicating whether or not user credentials are supported. It helps browser to determine whether or not a request can be made using credentials.

    The default setting is true.

    preflightMaxAge

    The number of seconds for which the browser is allowed to cache the result of a CORS pre-flight request. The specified value is returned in the pre-flight response's Access-Control-Max-Age header. Specifying a negative value prevents the CORS filter from including an Access-Control-Max-Age header in the pre-flight response.

    The default setting is 1800.

    decorateRequest

    A flag specifying whether or not CORS-specific attributes are to be added to the HttpServletRequest object.

    The default setting is true.

Copyright © 2015-2016 Escenic AS