Skip to content

CORS Filter in Gluu CE#

CORS Filter Overview#

CORS Filter is an implementation of W3C's CORS (Cross-Origin Resource Sharing) specification. CORS is a mechanism which enables cross-origin requests. CORS Filter work by adding required Access-Control-* headers to HttpServletResponse object. The filter also protects against HTTP response splitting. If request is invalid, or is not permitted, then request is rejected with HTTP status code 403 (Forbidden). A flowchart that demonstrates request processing by this filter. flowchart

The minimal configuration required to use CORS Filter is as below which is already added to the web.xml in oxauth.war. Below is only for reference and no additional action is required, and configuration steps are defined below. CORS Filter reads the configurations from LDAP and therefore configuration can be done in oxTrust UI directly. Filter Name for CORS Filter in Gluu CE will be org.xdi.oxauth.filter.CorsFilter.


Configuring CORS Filter in oxTrust UI#

CORS can be configured with ease using Gluu CE oxTrust UI. Below are the steps

  1. Login to oxTrust UI
  2. Click on Configuration
  3. Click on JSON Configuration
  4. Click the oxAuth Configuration tab and scroll down to find corsConfigurationFilters
  5. If corsConfigurationFilters is hidden or collapsed, click on the arrow to be expand.

    cors enable

  6. This will bring up the cors Configuration Filters parameters, as depicted below


  7. Once all the parameters are defined and configured, click on the save button at the end of the page.

Parameters supported by CORS Filters#

CORS Filter supports following initialization parameters:

Attribute Description
corsAllowedOrigins AA list of origins that are allowed to access the resource. A * can be specified to enable access to resource from any origin. Otherwise, a whitelist of comma separated origins can be provided. Eg:, Defaults: * (Any origin is allowed to access the resource).
corsAllowedMethods A comma separated list of HTTP methods that can be used to access the resource, using cross-origin requests. These are the methods which will also be included as part of Access-Control-Allow-Methods header in pre-flight response. Eg: GET, POST. Defaults: GET, POST, HEAD, OPTIONS
corsExposedHeaders A comma separated list of request headers that can be used when making an actual request. These headers will also be returned as part of Access-Control-Allow-Headers header in a pre-flight response. Eg: Origin,Accept. Defaults: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers.
corsSupportCredentials A flag that indicates whether the resource supports user credentials. This flag is exposed as part of Access-Control-Allow-Credentials header in a pre-flight response. It helps browser determine whether or not an actual request can be made using credentials. Defaults: true
corsLoggingEnabled Value to enable logging, Setting the value to False will disable logging. Defaults:true
corsPreflightMaxAge The amount of seconds, browser is allowed to cache the result of the pre-flight request. This will be included as part of Access-Control-Max-Age header in the pre-flight response. A negative value will prevent CORS Filter from adding this response header to pre-flight response. Defaults: 1800
corsRequestDecorate A flag to control if CORS specific attributes should be added to HttpServletRequest object or not. Defaults: true