Last Updated on

Issue:

This article focuses on how to enable CORS in Ephesoft Transact and resolve Access Control Allow Origin Exception with customer web application.

What is CORS?

CORS is a security feature that uses HTTP Headers that can be sent from the web server and interpreted by the browser to allow the browser to decide if it should proceed with a request or not. Part of the CORS mechanism involves the browser making a ‘preflight’ OPTIONS request to the web server so it can decide if it should send the actual request or not. Something that’s important to note here is that CORS checks are only made for requests that are not categorized as ‘simple requests’ and one of the triggers for requests to our APIs is the inclusion of an ‘Authorization’ header.

It’s also important to note that CORS is controlled by the client so any custom code written in Java for example or any custom requests made in PostMan will not be affected by CORS, however any custom code that is executed by a modern web browser such as JavaScript will be affected by CORS.

So in the current Transact configuration we have two issues:

  1. OPTIONS requests are not supported by the current web.xml configuration: OPTIONS requests need to be supported WITHOUT the requirement for the request to be sent with authentication (since CORS preflight requests do not include authentication). Configuration needs to be added to Ephesoft\Application\WEB-INF\web.xml enables this support
  2. CORS response headers are not configured to be returned to a client that requests them. We need to add an additional filter configuration which needs to be added to Ephesoft\JavaAppServer\conf\web.xml

Solution: 

Add the following to Ephesoft\JavaAppServer\conf\web.xml:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
                  <param-name>cors.allowed.origins</param-name>
                  <param-value>*</param-value>
  </init-param>
  <init-param>
                  <param-name>cors.allowed.methods</param-name>
                  <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
                  <param-name>cors.allowed.headers</param-name>
                  <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Content-Disposition, Authorization</param-value>
  </init-param>
  <init-param>
                  <param-name>cors.exposed.headers</param-name>
  <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
  </init-param>
  <init-param>
                  <param-name>cors.support.credentials</param-name>
                  <param-value>true</param-value>
  </init-param>
  <init-param>
                  <param-name>cors.preflight.maxage</param-name>
                  <param-value>10</param-value>
  </init-param>
  </filter>

<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Add the following to: Ephesoft\Application\WEB-INF\web.xml:

<security-constraint>
  <web-resource-collection>
                  <web-resource-name>web service</web-resource-name>
                  <url-pattern>/rest/*</url-pattern>
                  <http-method>OPTIONS</http-method>
  </web-resource-collection>
</security-constraint>

Was this article helpful to you?

Abhishek Jain