Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CORS - Enable Alfresco for CORS


Published on

Alfresco Summit Lightening Talk. What is CORS? How to enable Alfresco (Community, Enterprise) to allow CORS calls.

Published in: Technology

CORS - Enable Alfresco for CORS

  1. 1. CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software #SummitNow
  2. 2. CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software #SummitNow
  3. 3. 3 What is CORS? Cross-Origin Resource Sharing • Cross Domain AJAX Calls • Implemented in Browser and Server #SummitNow #SummitNow
  4. 4. 4 What Browsers Support CORS? 4.0+ 3.5+ 12.0+ 4.0+ Partial 8&9 10+ #SummitNow #SummitNow
  5. 5. 5 How Does CORS Work? Nothing to implement in your javascript. The Browser & the Server do the heavy lifting. #SummitNow #SummitNow
  6. 6. 6 How Does CORS Work? OPTIONS Browser API Request #SummitNow #SummitNow
  7. 7. 7 Example Code $.ajax ({ type: ”HTTP METHOD”, url: “Place to go to”, dataType: 'json’, async: false, data: '{}', beforeSend: function (xhr){ xhr.setRequestHeader('Authorization', setAuthTokenHere() }, success: function (response){ //do something }, failure: function (response) { //do something } }); #SummitNow #SummitNow
  8. 8. 8 What About the Server Side? Alfresco does not ship with CORS support. Alfresco uses CORS as part of “Alfresco for Salesforce” to talk to Alfresco Cloud. #SummitNow #SummitNow
  9. 9. 9 How to Enable CORS in Alfresco Add the following jars to WEB-INF/lib cors-filter java-property-utils Both can be found at #SummitNow #SummitNow
  10. 10. 10 How to Enable CORS in Alfresco Modify WEB-INF/web.xml <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> </filter> <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/service/*</url-pattern> </filter-mapping> #SummitNow #SummitNow
  11. 11. 11 How to Enable CORS in Alfresco What services will be called by your app? <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/service/*</url-pattern> <url-pattern>/cmisatom/*</url-pattern> <url-pattern>/cmisbrowser/*</url-pattern> </filter-mapping> #SummitNow #SummitNow
  12. 12. 12 How to Enable CORS in Alfresco OPTIONS Browser Authentication API Request #SummitNow #SummitNow
  13. 13. 13 How to Enable CORS in Alfresco Filter can be placed anywhere in web.xml However… Filter mapping MUST be before authentication filters #SummitNow #SummitNow
  14. 14. 14 How to Enable CORS in Alfresco Place after Global Localization Filter but before CMIS security context cleaning filter. • This is true for 4.2…but may not be true for other versions of Alfresco. • By rule BEFORE any security/authentication filters #SummitNow #SummitNow
  15. 15. 15 Filter Configuration By default the CORS Filter will apply a "public access" CORS policy, allowing all cross-site requests through (including credentials/cookies). Leaving the CORS Filter at this setting would actually be fine for most situations as CORS is not about adding server security; its primary intent is to protect the browser the legitimate JavaScript apps running in it and the user's confidential data, such as cookies. #SummitNow #SummitNow
  16. 16. 16 Filter Configuration (cont.) cors.configurationFile properties file Setting the location using • System Property (-D) • init-param Or Individual init-param #SummitNow #SummitNow
  17. 17. 17 Filter Configuration (cont.) Do not change the following defaults: • cors.allowGenericHttpRequests {true|false} defaults to true • cors.supportsCredentials {true|false} defaults to true. cors.maxAge {int} defaults to -1 (unspecified) • How long should pre-flight requests be cached. • Recommended value is 3600 (1 hour) #SummitNow #SummitNow
  18. 18. 18 Filter Configuration (cont.) cors.allowOrigin {"*"|origin-list} defaults to * • Which calling domains are allowed? • ex: • Returns 403 if the domain is not allowed #SummitNow #SummitNow
  19. 19. 19 Filter Configuration (cont.) cors.allowSubdomains {true|false} defaults to false • Your application may run in a hosted service where the subdomain is dynamically assigned ex. • ex. #SummitNow #SummitNow
  20. 20. 20 Filter Configuration (cont.) cors.supportedMethods {method-list} defaults to "GET, POST, HEAD, OPTIONS” cors.supportedHeaders {"*"|header-list} defaults to * • origin, authorization, accept #SummitNow #SummitNow
  21. 21. 21 Filter Configuration (cont.) cors.exposedHeaders {header-list} defaults to empty list • Response headers limited to: CacheControl, Content-Language, ContentType, Expires, Last-Modified Pragma • Add additional headers to be exposed #SummitNow #SummitNow
  22. 22. 22 Demo #SummitNow #SummitNow
  23. 23. 23 CORS Resources #SummitNow #SummitNow
  24. 24. 24 CORS Resources #SummitNow #SummitNow