CORS - Enable Alfresco for CORS

4,305 views

Published on

Alfresco Summit Lightening Talk. What is CORS? How to enable Alfresco (Community, Enterprise) to allow CORS calls.

Published in: Technology
3 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total views
4,305
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
35
Comments
3
Likes
2
Embeds 0
No embeds

No notes for slide

CORS - Enable Alfresco for CORS

  1. 1. CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software #SummitNow
  2. 2. CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software #SummitNow
  3. 3. 3 What is CORS? Cross-Origin Resource Sharing • Cross Domain AJAX Calls • Implemented in Browser and Server #SummitNow #SummitNow
  4. 4. 4 What Browsers Support CORS? 4.0+ 3.5+ 12.0+ 4.0+ Partial 8&9 10+ #SummitNow #SummitNow
  5. 5. 5 How Does CORS Work? Nothing to implement in your javascript. The Browser & the Server do the heavy lifting. #SummitNow #SummitNow
  6. 6. 6 How Does CORS Work? OPTIONS Browser API Request #SummitNow #SummitNow
  7. 7. 7 Example Code $.ajax ({ type: ”HTTP METHOD”, url: “Place to go to”, dataType: 'json’, async: false, data: '{}', beforeSend: function (xhr){ xhr.setRequestHeader('Authorization', setAuthTokenHere() }, success: function (response){ //do something }, failure: function (response) { //do something } }); #SummitNow #SummitNow
  8. 8. 8 What About the Server Side? Alfresco does not ship with CORS support. Alfresco uses CORS as part of “Alfresco for Salesforce” to talk to Alfresco Cloud. #SummitNow #SummitNow
  9. 9. 9 How to Enable CORS in Alfresco Add the following jars to WEB-INF/lib cors-filter java-property-utils Both can be found at http://software.dzhuvinov.com/cors-filter.html #SummitNow #SummitNow
  10. 10. 10 How to Enable CORS in Alfresco Modify WEB-INF/web.xml <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> </filter> <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/service/*</url-pattern> </filter-mapping> #SummitNow #SummitNow
  11. 11. 11 How to Enable CORS in Alfresco What services will be called by your app? <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/service/*</url-pattern> <url-pattern>/cmisatom/*</url-pattern> <url-pattern>/cmisbrowser/*</url-pattern> </filter-mapping> #SummitNow #SummitNow
  12. 12. 12 How to Enable CORS in Alfresco OPTIONS Browser Authentication API Request #SummitNow #SummitNow
  13. 13. 13 How to Enable CORS in Alfresco Filter can be placed anywhere in web.xml However… Filter mapping MUST be before authentication filters #SummitNow #SummitNow
  14. 14. 14 How to Enable CORS in Alfresco Place after Global Localization Filter but before CMIS security context cleaning filter. • This is true for 4.2…but may not be true for other versions of Alfresco. • By rule BEFORE any security/authentication filters #SummitNow #SummitNow
  15. 15. 15 Filter Configuration By default the CORS Filter will apply a "public access" CORS policy, allowing all cross-site requests through (including credentials/cookies). Leaving the CORS Filter at this setting would actually be fine for most situations as CORS is not about adding server security; its primary intent is to protect the browser the legitimate JavaScript apps running in it and the user's confidential data, such as cookies. #SummitNow #SummitNow
  16. 16. 16 Filter Configuration (cont.) cors.configurationFile properties file Setting the location using • System Property (-D) • init-param Or Individual init-param #SummitNow #SummitNow
  17. 17. 17 Filter Configuration (cont.) Do not change the following defaults: • cors.allowGenericHttpRequests {true|false} defaults to true • cors.supportsCredentials {true|false} defaults to true. cors.maxAge {int} defaults to -1 (unspecified) • How long should pre-flight requests be cached. • Recommended value is 3600 (1 hour) #SummitNow #SummitNow
  18. 18. 18 Filter Configuration (cont.) cors.allowOrigin {"*"|origin-list} defaults to * • Which calling domains are allowed? • ex: http://alfresco.com https://www.alfresco.com • Returns 403 if the domain is not allowed #SummitNow #SummitNow
  19. 19. 19 Filter Configuration (cont.) cors.allowSubdomains {true|false} defaults to false • Your application may run in a hosted service where the subdomain is dynamically assigned ex. salesforce.com • ex. https://na14.salesforce.com #SummitNow #SummitNow
  20. 20. 20 Filter Configuration (cont.) cors.supportedMethods {method-list} defaults to "GET, POST, HEAD, OPTIONS” cors.supportedHeaders {"*"|header-list} defaults to * • origin, authorization, accept #SummitNow #SummitNow
  21. 21. 21 Filter Configuration (cont.) cors.exposedHeaders {header-list} defaults to empty list • Response headers limited to: CacheControl, Content-Language, ContentType, Expires, Last-Modified Pragma • Add additional headers to be exposed #SummitNow #SummitNow
  22. 22. 22 Demo #SummitNow #SummitNow
  23. 23. 23 CORS Resources http://software.dzhuvinov.com/cors-filter.html https://bitbucket.org/thetransactioncompany/cors-filter http://www.w3.org/TR/cors/ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing #SummitNow #SummitNow
  24. 24. 24 CORS Resources http://software.dzhuvinov.com/cors-filter.html https://bitbucket.org/thetransactioncompany/cors-filter http://www.w3.org/TR/cors/ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing #SummitNow #SummitNow

×