1. CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software#SummitNow

2. CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software#SummitNow 3. 3What is CORS? Cross-Origin Resource Sharing Cross Domain AJAX Calls Implemented in Browser and Server#SummitNow #SummitNow 4. 4What Browsers Support CORS?4.0+3.5+12.0+4.0+Partial 8&9 10+ #SummitNow #SummitNow 5. 5How Does CORS Work? Nothing to implement in your javascript. The Browser & the Server do the heavy lifting.#SummitNow #SummitNow 6. 6How Does CORS Work?OPTIONSBrowser API Request#SummitNow #SummitNow 7. 7Example Code $.ajax ({ type: HTTP METHOD, url: Place to go to, dataType: 'json, async: false, data: '{}', beforeSend: function (xhr){ xhr.setRequestHeader('Authorization', setAuthTokenHere() }, success: function (response){ //do something }, failure: function (response) { //do something } }); #SummitNow #SummitNow 8. 8What About the Server Side? Alfresco does not ship with CORS support.Alfresco uses CORS as part of Alfresco for Salesforce to talk to Alfresco Cloud.#SummitNow #SummitNow 9. 9How to Enable CORS in AlfrescoAdd the following jars to WEB-INF/lib cors-filter java-property-utils Both can be found at http://software.dzhuvinov.com/cors-filter.html#SummitNow #SummitNow 10. 10How to Enable CORS in Alfresco Modify WEB-INF/web.xmlCORScom.thetransactioncompany.cors.CORSFilterCORS/service/*#SummitNow #SummitNow 11. 11How to Enable CORS in AlfrescoWhat services will be called by your app? CORS/service/*/cmisatom/*/cmisbrowser/*#SummitNow #SummitNow 12. 12How to Enable CORS in Alfresco OPTIONSBrowserAuthenticationAPI Request#SummitNow #SummitNow 13. 13How to Enable CORS in AlfrescoFilter can be placed anywhere in web.xmlHowever Filter mapping MUST be before authentication filters#SummitNow #SummitNow 14. 14How to Enable CORS in AlfrescoPlace after Global Localization Filter but before CMIS security context cleaning filter. This is true for 4.2but may not be true for other versions of Alfresco. By rule BEFORE any security/authentication filters#SummitNow #SummitNow 15. 15Filter Configuration By default the CORS Filter will apply a "public access" CORS policy, allowing all cross-site requests through (including credentials/cookies). Leaving the CORS Filter at this setting would actually be fine for most situations as CORS is not about adding server security; its primary intent is to protect the browser the legitimate JavaScript apps running in it and the user's confidential data, such as cookies.#SummitNow #SummitNow 16. 16Filter Configuration (cont.) cors.configurationFile properties file Setting the location using System Property (-D) init-param Or Individual init-param#SummitNow #SummitNow 17. 17Filter Configuration (cont.) Do not change the following defaults: cors.allowGenericHttpRequests {true|false} defaults to true cors.supportsCredentials {true|false} defaults to true. cors.maxAge {int} defaults to -1 (unspecified) How long should pre-flight requests be cached. Recommended value is 3600 (1 hour)#SummitNow #SummitNow 18. 18Filter Configuration (cont.) cors.allowOrigin {"*"|origin-list} defaults to * Which calling domains are allowed? ex: http://alfresco.com https://www.alfresco.com Returns 403 if the domain is not allowed#SummitNow #SummitNow 19. 19Filter Configuration (cont.) cors.allowSubdomains {true|false} defaults to false Your application may run in a hosted service where the subdomain is dynamically assigned ex. salesforce.com ex. https://na14.salesforce.com #SummitNow #SummitNow 20. 20Filter Configuration (cont.) cors.supportedMethods {method-list} defaults to "GET, POST, HEAD, OPTIONS cors.supportedHeaders {"*"|header-list} defaults to * origin, authorization, accept#SummitNow #SummitNow 21. 21Filter Configuration (cont.) cors.exposedHeaders {header-list} defaults to empty list Response headers limited to: CacheControl, Content-Language, ContentType, Expires, Last-Modified Pragma Add additional headers to be exposed#SummitNow #SummitNow 22. 22Demo#SummitNow #SummitNow 23. 23CORS Resources http://software.dzhuvinov.com/cors-filter.html https://bitbucket.org/thetransactioncompany/cors-filter http://www.w3.org/TR/cors/ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#SummitNow #SummitNow 24. 24CORS Resources http://software.dzhuvinov.com/cors-filter.html https://bitbucket.org/thetransactioncompany/cors-filter http://www.w3.org/TR/cors/ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#SummitNow #SummitNow