Enable CORS on Wildfly


#1

Hi,
How to turn on Cross-Origin Resource Sharing (CORS) response headers to Camunda REST engine in wildfly distribution to be able to make ajax requests from standalone javascript application?

thanks :slight_smile:


#2

Hi Lucian.

One possibility is to add CORS header server wide in the WildFly standalone.xml. A working example I have locally on WildFly 10 looks like this:

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
    <buffer-cache name="default"/>
    <server name="default-server">
        <http-listener name="default" socket-binding="http" redirect-socket="https"/>
        <host name="default-host" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <filter-ref name="server-header"/>
            <filter-ref name="x-powered-by-header"/>
            <filter-ref name="Access-Control-Allow-Origin"/>
            <filter-ref name="Access-Control-Allow-Methods"/>
            <filter-ref name="Access-Control-Allow-Headers"/>
            <filter-ref name="Access-Control-Allow-Credentials"/>
            <filter-ref name="Access-Control-Max-Age"/>
        </host>
    </server>
    <servlet-container name="default">
        <jsp-config/>
        <websockets/>
    </servlet-container>
    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>
    <filters>
        <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
        <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
        <response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/>
        <response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
        <response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
        <response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
        <response-header name="Access-Control-Max-Age" header-name="Access-Control-Max-Age" header-value="1"/>
    </filters>
</subsystem>

Hope that helps
Cheers
Bernd


#3

This worked for me. Thanks!


#4

Worked for me too, Thanks!


#5

header-name=“Access-Control-Allow-Origin” header-value="*"

Unfortunately this is no longer sufficient. We need the actual origin value here. Wildcards are not allowed.

When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the “*” wildcard.

MDN

Any ideas on how to do this dynamically? And no, a servlet filter does not work.


#6

Do you need put specifically value:

<response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="YOUR DOMAIN HERE"/>