Cross-Origin Resource Sharing (CORS) configuration

The Connect2id server includes a CORS Filter to allow transparent handling of browser cross-site requests according to the W3C Cross-Origin Resource Sharing (CORS) mechanism.

To configure the CORS policy edit the following properties file in the WEB-INF directory of the web application:



Set to true to allow generic HTTP requests, else only valid and accepted CORS requests will be allowed (strict CORS filtering).

Do not change this parameter.

cors.allowGenericHttpRequests = true


Lists the allowed CORS origins. They must be specified as whitespace-separated URLs. Requests from origins not included here will be refused with an HTTP 403 "Forbidden" response. If set to * any origin is allowed.

Example: Allow any origin:

cors.allowOrigin = *

Example: Allow cross-domain requests from the following three origins only:

cors.allowOrigin =


If true the CORS filter will allow requests from any origin which is a subdomain origin of the allowed origins. A subdomain is matched by comparing its scheme and suffix (host name / IP address and optional port number).


Explicitly allowed origin:

Matches the original origin as well as any subdomain, e.g.,, etc.


Lists the supported HTTP methods. Requests for methods not included here will be refused by the CORS filter with an HTTP 405 "Method not allowed" response.

Do not change this parameter.

cors.supportedMethods = GET, POST, PUT, DELETE


Lists the supported non-simple (according to the CORS standard) header names.

Do not change this parameter.

cors.supportedHeaders = *


Lists the non-simple headers (according to the CORS standard) that the web client (browser) should expose.

Do not change this parameter.

cors.exposedHeaders = Location


Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported.

Do not change this parameter.

cors.supportsCredentials = true


Indicates how long the results of a CORS preflight request can be cached by the web client, in seconds. If -1 unspecified.

Recommended value: 1 day (86400 seconds).