SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
1.
CORS
6 Nov 2013 / 14 Nov 2013
Jared Ottley / Alfresco Software
#SummitNow
2.
CORS
6 Nov 2013 / 14 Nov 2013
Jared Ottley / Alfresco Software
#SummitNow
3.
3
What is CORS?
Cross-Origin Resource Sharing
• Cross Domain AJAX Calls
• Implemented in Browser and Server
#SummitNow
#SummitNow
4.
4
What Browsers Support CORS?
4.0+
3.5+
12.0+
4.0+
Partial
8&9
10+
#SummitNow
#SummitNow
5.
5
How Does CORS Work?
Nothing to implement in your javascript.
The Browser & the Server do the heavy
lifting.
#SummitNow
#SummitNow
6.
6
How Does CORS Work?
OPTIONS
Browser
API Request
#SummitNow
#SummitNow
7.
7
Example Code
$.ajax ({
type: ”HTTP METHOD”, url: “Place to go to”,
dataType: 'json’, async: false,
data: '{}',
beforeSend: function (xhr){
xhr.setRequestHeader('Authorization', setAuthTokenHere() },
success: function (response){
//do something
},
failure: function (response) {
//do something
}
});
#SummitNow
#SummitNow
8.
8
What About the Server Side?
Alfresco does not ship with CORS support.
Alfresco uses CORS as part of “Alfresco for
Salesforce” to talk to Alfresco Cloud.
#SummitNow
#SummitNow
9.
9
How to Enable CORS in
Alfresco
Add the following jars to WEB-INF/lib
cors-filter
java-property-utils
Both can be found at
http://software.dzhuvinov.com/cors-filter.html
#SummitNow
#SummitNow
10.
10
How to Enable CORS in
Alfresco
Modify WEB-INF/web.xml
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/service/*</url-pattern>
</filter-mapping>
#SummitNow
#SummitNow
11.
11
How to Enable CORS in
Alfresco
What services will be called by your app?
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/service/*</url-pattern>
<url-pattern>/cmisatom/*</url-pattern>
<url-pattern>/cmisbrowser/*</url-pattern>
</filter-mapping>
#SummitNow
#SummitNow
12.
12
How to Enable CORS in
Alfresco
OPTIONS
Browser
Authentication
API Request
#SummitNow
#SummitNow
13.
13
How to Enable CORS in
Alfresco
Filter can be placed anywhere in web.xml
However…
Filter mapping MUST be before
authentication filters
#SummitNow
#SummitNow
14.
14
How to Enable CORS in
Alfresco
Place after Global Localization Filter but
before CMIS security context cleaning filter.
• This is true for 4.2…but may not be true
for other versions of Alfresco.
• By rule BEFORE any
security/authentication filters
#SummitNow
#SummitNow
15.
15
Filter Configuration
By default the CORS Filter will apply a "public access"
CORS policy, allowing all cross-site requests through
(including credentials/cookies). Leaving the CORS
Filter at this setting would actually be fine for most
situations as CORS is not about adding server
security; its primary intent is to protect the browser the legitimate JavaScript apps running in it and the
user's confidential data, such as cookies.
#SummitNow
#SummitNow
16.
16
Filter Configuration (cont.)
cors.configurationFile properties file
Setting the location using
• System Property (-D)
• init-param
Or
Individual init-param
#SummitNow
#SummitNow
17.
17
Filter Configuration (cont.)
Do not change the following defaults:
• cors.allowGenericHttpRequests {true|false} defaults to
true
• cors.supportsCredentials {true|false} defaults to true.
cors.maxAge {int} defaults to -1 (unspecified)
• How long should pre-flight requests be cached.
• Recommended value is 3600 (1 hour)
#SummitNow
#SummitNow
18.
18
Filter Configuration (cont.)
cors.allowOrigin {"*"|origin-list} defaults to *
• Which calling domains are allowed?
• ex: http://alfresco.com https://www.alfresco.com
• Returns 403 if the domain is not allowed
#SummitNow
#SummitNow
19.
19
Filter Configuration (cont.)
cors.allowSubdomains {true|false} defaults
to false
• Your application may run in a hosted
service where the subdomain is
dynamically assigned ex.
salesforce.com
• ex. https://na14.salesforce.com
#SummitNow
#SummitNow
20.
20
Filter Configuration (cont.)
cors.supportedMethods {method-list}
defaults to "GET, POST, HEAD, OPTIONS”
cors.supportedHeaders {"*"|header-list}
defaults to *
• origin, authorization, accept
#SummitNow
#SummitNow
21.
21
Filter Configuration (cont.)
cors.exposedHeaders {header-list} defaults
to empty list
• Response headers limited to: CacheControl, Content-Language, ContentType, Expires, Last-Modified Pragma
• Add additional headers to be exposed
#SummitNow
#SummitNow