CORS Filter Configuration
For security reasons, browsers commonly apply a same-origin restriction to network requests that prevent a web application running in one domain from retrieving data from other domains. CORS (Cross-Origin Resource Sharing) is a mechanism for circumventing this restriction in a secure way. If your Live Center presentation web service is deployed in a different domain from the Live Center web application then it will not be able to access any data unless you explicitly give it permission by configuring the Live Center CORS filter.
The CORS mechanism is based on the concept of a pre-flight request. Before making a cross-domain request, a browser first sends a pre-flight request to find out what kinds of requests the host will respond to. The host then returns a pre-flight response in which it specifies which domains it will accept requests from, and what kinds of requests (which HTTP methods, headers and so on) it will respond to. The Live Center CORS filter allows you to specify what is returned in Live Center pre-flight responses.
To configure the CORS filter:
-
Copy
CorsFilter.properties
from the plug-in installation into yourwebapp
configuration layer (not the common configuration layer):$
cp /opt/escenic/engine/plugins/live-center/misc/siteconfig/com/escenic/livecenter/presentation/filter/cors/CorsFilter.properties
\>
/etc/escenic/engine/webapp/live-center-presentation-webservice/com/escenic/livecenter/presentation/filter/cors/CorsFilter.properties
-
Open the copied
CorsFilter.properties
for editing and set the following properties:allowedOrigins
-
A comma-separated list of origins that are to be granted access to Live Center resources. An origin is a URL protocol identifier plus a domain name (for example
http://www.w3.org
orhttps://www.apache.org
. The default setting of*
grants access to all domains. In order to restrict access to your presentation web service only, specify the web service's origin. For example:allowedOrigins=https://mypresentationdomain.com
If you wish more than one presentation web service to be able to access Live Center resources, then you can specify several origins:
allowedOrigins=https://mypresentationdomain.com,http://myotherdomain.org
allowedHttpMethods
-
A comma-separated list of HTTP methods such as
GET
andPOST
that can be used to access resources. The specified methods are returned in the pre-flight response'sAccess-Control-Allow-Methods
header.The default setting is:
allowedHttpMethods=GET,POST,HEAD,OPTIONS
allowedHttpHeaders
-
A comma-separated list of HTTP request headers such as
Origin
andAccept
that can be used in cross-origin requests. The specified headers are returned in the pre-flight response'sAccess-Control-Allow-Headers
header.The default setting is:
allowedHttpHeaders=Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers
exposedHeaders
-
A comma-separated list of HTTP response headers that may be exposed to the browser. The specified headers are returned in the pre-flight response's
Access-Control-Expose-Headers
header.There is no default setting for this parameter.
supportsCredentials
-
A flag indicating whether or not user credentials are supported. It helps browser to determine whether or not a request can be made using credentials.
The default setting is
true
. preflightMaxAge
-
The number of seconds for which the browser is allowed to cache the result of a CORS pre-flight request. The specified value is returned in the pre-flight response's
Access-Control-Max-Age
header. Specifying a negative value prevents the CORS filter from including anAccess-Control-Max-Age
header in the pre-flight response.The default setting is
1800
. decorateRequest
-
A flag specifying whether or not CORS-specific attributes are to be added to the
HttpServletRequest
object.The default setting is
true
.