CORS Filter is an implementation of the W3C's Cross-Origin Resource Sharing (CORS) specification.
The CORS Filter works by adding required
Access-Control-* headers to the
HttpServletResponse object. The filter also protects against HTTP response splitting. If a request is invalid or not permitted, the request is rejected with HTTP status code 403 (Forbidden).
This flowchart demonstrates request processing by this filter:
The minimal configuration required to use the CORS Filter is shown below, and is already added to the
oxauth.war. The filter name is
<filter> <filter-name>CorsFilter</filter-name> <filter-class>org.gluu.oxauth.filter.CorsFilter</filter-class> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/.well-known/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/restv1/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/opiframe</url-pattern> </filter-mapping>
CORS can be configured in oxTrust. Follow these steps:
- Log in to oxTrust UI
- Navigate to
- Scroll down to find
corsConfigurationFiltersis hidden or collapsed, click the arrow to expand.
This will display the CORS Configuration Filter parameters, as shown below:
Define and configure the parameters
saveat the bottom of the page.
Parameters supported by CORS Filters#
CORS Filter supports the following initialization parameters:
|corsAllowedOrigins||A list of origins that are allowed to access the resource. A
|corsAllowedMethods||A comma separated list of HTTP methods that can be used to access the resource, using cross-origin requests. These are the methods which will also be included as part of Access-Control-Allow-Methods header in pre-flight response. Eg:
|corsExposedHeaders||A comma separated list of request headers that can be used when making an actual request. These headers will also be returned as part of Access-Control-Allow-Headers header in a pre-flight response. Eg:
|corsSupportCredentials||A flag that indicates whether the resource supports user credentials. This flag is exposed as part of
|corsLoggingEnabled||Value to enable logging, Setting the value to
|corsPreflightMaxAge||The duration in seconds the browser is allowed to cache the result of the pre-flight request. This will be included as part of the
|corsRequestDecorate||A flag to control if CORS specific attributes should be added to the HttpServletRequest object. Defaults: