CORS
The Connect2id server includes a CORS Filter to allow transparent handling of browser cross-site requests according to the W3C Cross-Origin Resource Sharing (CORS) mechanism.
The CORS policy is configured in the following properties file:
WEB-INF/cors.properties
Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup:
-Dcors.allowOrigin=https://example.com
The external configuration guide has tips for setting system properties from environment variables, local files and other locations.
cors.enable
Set to false
to disable the CORS Filter, causing it to pass all HTTP
requests. The CORS Filter can be disabled if the Connect2id server is
provisioned with a reverse proxy handling CORS. Otherwise the CORS Filter
should be left enabled, to process cross-domain requests according to its
configuration.
The default value if omitted is true
(enabled). Since v11.5.
Example:
cors.enable=true
cors.allowGenericHttpRequests
Set to true
to allow generic HTTP requests, else only valid and accepted CORS
requests will be allowed (strict CORS filtering).
Do not change this parameter.
cors.allowGenericHttpRequests=true
cors.allowOrigin
Lists the allowed CORS origins. They must be specified as whitespace-separated
URLs. Requests from origins not included here will be refused with an HTTP 403
“Forbidden” response. If set to *
any origin is allowed.
Example: Allow any origin:
cors.allowOrigin=*
Example: Allow cross-domain requests from the following three origins only:
cors.allowOrigin=https://example.com https://example.com:8080 https://secure.net
cors.allowSubdomains
If true
the CORS filter will allow requests from any origin which is a
subdomain origin of the allowed origins. A subdomain is matched by comparing
its scheme and suffix (host name / IP address and optional port number).
Example:
Explicitly allowed origin: http://example.com
Matches the original origin as well as any subdomain, e.g.
http://foo.example.com
, http://bar.example.com
, etc.
cors.supportedMethods
Lists the supported HTTP methods. Requests for methods not included here will be refused by the CORS filter with an HTTP 405 “Method not allowed” response.
Do not change this parameter.
cors.supportedMethods=GET,POST,PUT,DELETE
cors.supportedHeaders
Lists the supported non-simple (according to the CORS standard) header names.
Do not change this parameter.
cors.supportedHeaders=*
cors.exposedHeaders
Lists the non-simple headers (according to the CORS standard) that the web client (browser) should expose.
Do not change this parameter.
cors.exposedHeaders=Location
cors.supportsCredentials
Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported.
Do not change this parameter.
cors.supportsCredentials=true
cors.maxAge
Indicates how long the results of a CORS preflight request can be cached by the
web client, in seconds. If -1
unspecified.
Recommended value: 1 day (86400 seconds).