Setting Up CORS

CORS stands for Cross-Origin Resource Sharing. An Origin is a web server at a different domain, and a Resource is some asset stored on the server, like an image, PDF, or HTML file. Sometimes you must request resources stored on another origin. This is called a cross-origin request, and web servers have policies to allow or deny such requests.

For example, browsers themselves don’t allow cross-origin AJAX-style requests from scripts to help mitigate cross-site scripting (XSS) attacks. These APIs follow a same origin policy. But for certain resources, it can be convenient to allow Liferay DXP to serve them to different origins.

For example, if you manage images in Documents & Media, you may want to allow cross-origin requests for them. You can enable CORS for matching URLs in Liferay DXP or for JAX-RS application resources.

Enabling CORS for Liferay DXP Services

To access these settings,

  1. Open the Global Menu (Applications Menu icon) and navigate to Control PanelInstance Settings.

  2. Go to SecuritySecurity ToolsPortal Cross-Origin Sharing (CORS):

  3. Click Add to create a configuration entry.

  4. Fill out the fields on the form.

  5. Click Save.

The CORS system settings provide a way to configure CORS headers for Liferay services.

Portal CORS Configuration Reference

ConfigurationDescription
EnabledCheck this box to enable the entry.
NameGive the configuration entry a name.
URL PatternUse the Plus button to add as many patterns as you need. Define patterns that match URLs to the resources you want to share. For example, if you have many attachments in the Knowledge Base application, you could define this pattern:
/knowledge_base/*
This would define resources stored in the Knowledge Base as applicable to the policy you set in the response header below.
CORS Response HeadersUse the Plus button to add as many headers as you need. Define policies for any of the CORS headers here.

You can also use a configuration file to configure CORS.

Note

There’s also a Portal Cross-Origin Resource Sharing (CORS) entry under the Virtual Instance Scope in System Settings. This contains the Default Portal CORS Configuration that’s already enabled for virtual instances.

Enabling CORS for JAX-RS Applications

To access these settings,

  1. Open the Global Menu (Applications Menu icon) and navigate to Control PanelSystem Settings.

  2. Go to SecuritySecurity ToolsWeb Contexts Cross Resource Origin Sharing (CORS):

  3. Click Add to create a configuration entry.

  4. Fill out the fields on the form. When finished, click Save.

    There's a separate system settings category for CORS web contexts.

JAX-RS CORS Configuration Reference

ConfigurationDescription
Dynamic Web Context OSGi FilterDefine an LDAP-style filter to define which JAX-RS whiteboard applications the CORS headers in this entry apply to. This is the default filter:
(&(!(liferay.cors=false))(osgi.jaxrs.name=*))
It applies CORS headers to all deployed JAX-RS whiteboard applications without a liferay.cors=false property. This helps during development, but in production you should use the narrowest configuration possible.
URL PatternUse the Plus button to add as many patterns as you need. Define patterns that match URLs to the web services you want to access.
CORS Response HeadersUse the Plus button to add as many headers as you need. Define policies for any of the CORS headers here.

JAX-RS developers can use the @CORS annotation to set policies for their deployed applications.

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy