5. 5
How Does CORS Work?
Nothing to implement in your javascript.
The Browser & the Server do the heavy
lifting.
#SummitNow
#SummitNow
6. 6
How Does CORS Work?
OPTIONS
Browser
API Request
#SummitNow
#SummitNow
7. 7
Example Code
$.ajax ({
type: ”HTTP METHOD”, url: “Place to go to”,
dataType: 'json’, async: false,
data: '{}',
beforeSend: function (xhr){
xhr.setRequestHeader('Authorization', setAuthTokenHere() },
success: function (response){
//do something
},
failure: function (response) {
//do something
}
});
#SummitNow
#SummitNow
8. 8
What About the Server Side?
Alfresco does not ship with CORS support.
Alfresco uses CORS as part of “Alfresco for
Salesforce” to talk to Alfresco Cloud.
#SummitNow
#SummitNow
9. 9
How to Enable CORS in
Alfresco
Add the following jars to WEB-INF/lib
cors-filter
java-property-utils
Both can be found at
http://software.dzhuvinov.com/cors-filter.html
#SummitNow
#SummitNow
10. 10
How to Enable CORS in
Alfresco
Modify WEB-INF/web.xml
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/service/*</url-pattern>
</filter-mapping>
#SummitNow
#SummitNow
11. 11
How to Enable CORS in
Alfresco
What services will be called by your app?
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/service/*</url-pattern>
<url-pattern>/cmisatom/*</url-pattern>
<url-pattern>/cmisbrowser/*</url-pattern>
</filter-mapping>
#SummitNow
#SummitNow
12. 12
How to Enable CORS in
Alfresco
OPTIONS
Browser
Authentication
API Request
#SummitNow
#SummitNow
13. 13
How to Enable CORS in
Alfresco
Filter can be placed anywhere in web.xml
However…
Filter mapping MUST be before
authentication filters
#SummitNow
#SummitNow
14. 14
How to Enable CORS in
Alfresco
Place after Global Localization Filter but
before CMIS security context cleaning filter.
• This is true for 4.2…but may not be true
for other versions of Alfresco.
• By rule BEFORE any
security/authentication filters
#SummitNow
#SummitNow
15. 15
Filter Configuration
By default the CORS Filter will apply a "public access"
CORS policy, allowing all cross-site requests through
(including credentials/cookies). Leaving the CORS
Filter at this setting would actually be fine for most
situations as CORS is not about adding server
security; its primary intent is to protect the browser the legitimate JavaScript apps running in it and the
user's confidential data, such as cookies.
#SummitNow
#SummitNow
17. 17
Filter Configuration (cont.)
Do not change the following defaults:
• cors.allowGenericHttpRequests {true|false} defaults to
true
• cors.supportsCredentials {true|false} defaults to true.
cors.maxAge {int} defaults to -1 (unspecified)
• How long should pre-flight requests be cached.
• Recommended value is 3600 (1 hour)
#SummitNow
#SummitNow
18. 18
Filter Configuration (cont.)
cors.allowOrigin {"*"|origin-list} defaults to *
• Which calling domains are allowed?
• ex: http://alfresco.com https://www.alfresco.com
• Returns 403 if the domain is not allowed
#SummitNow
#SummitNow
19. 19
Filter Configuration (cont.)
cors.allowSubdomains {true|false} defaults
to false
• Your application may run in a hosted
service where the subdomain is
dynamically assigned ex.
salesforce.com
• ex. https://na14.salesforce.com
#SummitNow
#SummitNow
20. 20
Filter Configuration (cont.)
cors.supportedMethods {method-list}
defaults to "GET, POST, HEAD, OPTIONS”
cors.supportedHeaders {"*"|header-list}
defaults to *
• origin, authorization, accept
#SummitNow
#SummitNow
21. 21
Filter Configuration (cont.)
cors.exposedHeaders {header-list} defaults
to empty list
• Response headers limited to: CacheControl, Content-Language, ContentType, Expires, Last-Modified Pragma
• Add additional headers to be exposed
#SummitNow
#SummitNow