Cross-Origin Resource Sharing (CORS) configuration

The Connect2id server includes a CORS Filter to allow transparent handling of browser cross-site requests according to the W3C Cross-Origin Resource Sharing (CORS) mechanism.

The CORS policy is configured in the following properties file:

WEB-INF/cors.properties

Any property in the configuration file can be overridden with a Java system property, e.g. by setting the optional -D argument at JVM startup:

-Dcors.allowOrigin=https://example.com

The external configuration guide has tips for setting system properties from environment variables, local files and other locations.

cors.enable

Set to false to disable the CORS Filter, causing it to pass all HTTP requests. The CORS Filter can be disabled if the Connect2id server is provisioned with a reverse proxy handling CORS. Otherwise the CORS Filter should be left enabled, to process cross-domain requests according to its configuration.

The default value if omitted is true (enabled). Since v11.5.

Example:

cors.enable=true

cors.allowGenericHttpRequests

Set to true to allow generic HTTP requests, else only valid and accepted CORS requests will be allowed (strict CORS filtering).

Do not change this parameter.

cors.allowGenericHttpRequests=true

cors.allowOrigin

Lists the allowed CORS origins. They must be specified as whitespace-separated URLs. Requests from origins not included here will be refused with an HTTP 403 "Forbidden" response. If set to * any origin is allowed.

Example: Allow any origin:

cors.allowOrigin=*

Example: Allow cross-domain requests from the following three origins only:

cors.allowOrigin=https://example.com https://example.com:8080 https://secure.net

cors.allowSubdomains

If true the CORS filter will allow requests from any origin which is a subdomain origin of the allowed origins. A subdomain is matched by comparing its scheme and suffix (host name / IP address and optional port number).

Example:

Explicitly allowed origin: http://example.com

Matches the original origin as well as any subdomain, e.g. http://foo.example.com, http://bar.example.com, etc.

cors.supportedMethods

Lists the supported HTTP methods. Requests for methods not included here will be refused by the CORS filter with an HTTP 405 "Method not allowed" response.

Do not change this parameter.

cors.supportedMethods=GET,POST,PUT,DELETE

cors.supportedHeaders

Lists the supported non-simple (according to the CORS standard) header names.

Do not change this parameter.

cors.supportedHeaders=*

cors.exposedHeaders

Lists the non-simple headers (according to the CORS standard) that the web client (browser) should expose.

Do not change this parameter.

cors.exposedHeaders=Location

cors.supportsCredentials

Indicates whether user credentials, such as cookies, HTTP authentication or client-side certificates, are supported.

Do not change this parameter.

cors.supportsCredentials=true

cors.maxAge

Indicates how long the results of a CORS preflight request can be cached by the web client, in seconds. If -1 unspecified.

Recommended value: 1 day (86400 seconds).