15

Is it possible to apply cross-origin resource sharing (CORS) in a Websphere Application Server Liberty Profile V8.5 ?

I searched the redbook but couldn't find IBM mention anything about it. (http://www.redbooks.ibm.com/abstracts/sg248076.html?Open)

It's not possibility for me to set the headers programmatically like this:

Access-Control-Allow-Origin: *

(http://enable-cors.org/server.html)

Machavity
  • 30,841
  • 27
  • 92
  • 100
Niek Vandael
  • 394
  • 1
  • 3
  • 15
  • I'm currently investigating http://software.dzhuvinov.com/cors-filter-installation.html: i'm getting trough (i can see my prints in the webservice)! Only problem is that the service is never returning and my browser keeps on waiting for the response... – Niek Vandael Jun 18 '14 at 07:54
  • Please see my answer for the official CORS support in Liberty. – ArthurDM May 04 '16 at 15:21

4 Answers4

9

You have to add following jars to your WEB-INF/lib folder:

In your web.xml you have to add following rules:

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
        <filter-name>CORS</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>
GuyT
  • 4,316
  • 2
  • 16
  • 30
  • Don't think this works if the war contains html & javascript only. Is there another way to configure the WebSphere liberty server to enable CORs for such a case. – DarVar May 26 '15 at 14:09
  • @DarVar Did you already solved your issue? If you only serve HTML and JavaScript you wont have these problems. Only when you are invoking a webservice on another socket. – GuyT Jan 22 '16 at 09:09
  • The method worked but unfortunately in my case the class loading mode needs to be altered to get it to work, which is not desirable. A more detailed explanation of the method is found here. https://clmpractice.org/2015/01/07/how-to-enable-cors-with-rational-team-concert-ccm-running-on-a-websphere-application-server-was-8-5/ – Ruifeng Ma Jul 21 '17 at 16:35
6

Starting with the January 2016 Beta (edit: and now in Liberty 8559), WebSphere Liberty supports CORS natively. You just configure the server.xml with the CORS options you want, here's an example:

<cors domain="/sampleApp/path"
   allowedOrigins="https://alice.com:8090"
   allowedMethods="GET, DELETE, POST"
   allowedHeaders="Accept, MyRequestHeader1"
   exposeHeaders="MyResponseHeader1"
   allowCredentials="true"
   maxAge="3600" />

The domain attribute is for the application root that you want this configuration to apply to, which means it won't affect any other context roots. The other 7 attributes follow exactly the official CORS spec (https://www.w3.org/TR/cors/), so they are pretty self explanatory.

Link to beta: https://developer.ibm.com/wasdev/blog/2016/01/15/beta-websphere-liberty-and-tools-january/

dhilt
  • 18,707
  • 8
  • 70
  • 85
ArthurDM
  • 403
  • 3
  • 6
1

To extend to the CORS from ArthurDM: The documented pages where not explaining enough for me. My setup is the following and I just want to share that with you:

  • Use Liberty Profile 8.5.5.9. So the CORS addition to liberty profile is not in beta only anymore.
  • Use JavaEE batch and connected the batch to put all its data in the repository (not in memory).
  • I wanted to use batchManagement-1.0 feature for the rest api of batch that comes with it.
  • Angular 1.

Eventually the following cors setting did the trick:

    <cors domain="/ibm/api" 
       allowedOrigins="http://localhost:9080" 
       allowedMethods="GET, POST, PUT, DELETE" 
       allowedHeaders="Accept, Accept-Language, Content-Language, Content-Type" 
       exposeHeaders="Content-Type" 
       allowCredentials="true" 
       maxAge="3600" />

Good luck, and I hope it helps.

FrisoD
  • 514
  • 4
  • 4
0

For those who is looking for a workaround while using IBM Websphere Application Server and looking for an answer to apply CORS. (You should do this programmatically ) I know the op is looking for an answer without using java code or else... This might be helpfull to somebody else.. Write a filter that lets you to set response headers programmatically. Such as :

public class YourFilter implements javax.servlet.Filter{

    @Override
    public void doFilter(ServletRequest request,ServletResponse servletResponse , FilterChain chain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse ) servletResponse ;
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Headers","Access-Control-Allow-Origin, X-Requested-With", bla,bla...);
    }
}
Deniz D.
  • 76
  • 4