Cross-Origin Resource Sharing (CORS)
The Connect2id server includes a CORS Filter to allow transparent handling of browser cross-site requests according to the W3C Cross-Origin Resource Sharing (CORS) mechanism.
To configure the CORS policy edit the following properties file in the
WEB-INF
directory of the web application:
WEB-INF/cors.properties
cors.allowGenericHttpRequests
Set to true
to allow generic HTTP requests, else only valid and accepted CORS
requests will be allowed (strict CORS filtering).
Do not change this parameter.
cors.allowGenericHttpRequests = true
cors.allowOrigin
Lists the allowed CORS origins. They must be specified as whitespace-separated
URLs. Requests from origins not included here will be refused with an HTTP 403
“Forbidden” response. If set to *
any origin is allowed.
Example: Allow any origin:
cors.allowOrigin = *
Example: Allow cross-domain requests from the following three origins only:
cors.allowOrigin = http://example.com http://example.com:8080 https://secure.net
cors.allowSubdomains
If true
the CORS filter will allow requests from any origin which is a
subdomain origin of the allowed origins. A subdomain is matched by comparing
its scheme and suffix (host name / IP address and optional port number).
Example:
Explicitly allowed origin: http://example.com
Matches the original origin as well as any subdomain, e.g.
http://foo.example.com
, http://bar.example.com
, etc.
cors.supportedMethods
Lists the supported HTTP methods. Requests for methods not included here will be refused by the CORS filter with an HTTP 405 “Method not allowed” response.
Do not change this parameter.
cors.supportedMethods = GET, POST, PUT, DELETE
cors.supportedHeaders
Lists the supported non-simple (according to the CORS standard) header names.
Do not change this parameter.
cors.supportedHeaders = *
cors.exposedHeaders
Lists the non-simple headers (according to the CORS standard) that the web client (browser) should expose.
Do not change this parameter.
cors.exposedHeaders = Location
cors.supportsCredentials
Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported.
Do not change this parameter.
cors.supportsCredentials = true
cors.maxAge
Indicates how long the results of a CORS preflight request can be cached by the
web client, in seconds. If -1
unspecified.
Recommended value: 1 day (86400 seconds).