uPortal

Enterprise open source portal built by and for the higher education community.

This project is maintained by uPortal-Project

Security in uPortal

Table of Contents

  1. CORS Filter

CORS Filter

The CORS Filter is an implementation of W3C’s CORS (Cross-Origin Resource Sharing) specification, which enables cross-origin requests.

CORS Filter Configuration Options

cors.allowed.origins</td>

A list of origins that are allowed to access the resource. A * can be specified to enable access to resource from any origin. Otherwise, a whitelist of comma separated origins can be provided. Eg: http://www.w3.org, https://www.apache.org. Defaults: * (Any origin is allowed to access the resource).

cors.allowed.methods</td>

A comma separated list of HTTP methods that can be used to access the resource, using cross-origin requests. These are the methods which will also be included as part of Access-Control-Allow-Methods header in pre-flight response. Eg: GET, POST. Defaults: GET, HEAD

cors.allowed.headers</td>

A comma separated list of request headers that can be used when making an actual request. These headers will also be returned as part of Access-Control-Allow-Headers header in a pre-flight response. Eg: Origin,Accept. Defaults: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers

cors.exposed.headers</td>

A comma separated list of headers other than simple response headers that browsers are allowed to access. These are the headers which will also be included as part of Access-Control-Expose-Headers header in the pre-flight response. Eg: X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG. Default: None. Non-simple headers are not exposed by default.

cors.preflight.maxage</td>

The amount of seconds, browser is allowed to cache the result of the pre-flight request. This will be included as part of Access-Control-Max-Age header in the pre-flight response. A negative value will prevent CORS Filter from adding this response header to pre-flight response. Defaults: 1800

cors.support.credentials</td>

A flag that indicates whether the resource supports user credentials. This flag is exposed as part of Access-Control-Allow-Credentials header in a pre-flight response. It helps browser determine whether or not an actual request can be made using credentials. Defaults: true

cors.request.decorate</td>

A flag to control if CORS specific attributes should be added to HttpServletRequest object or not. Defaults: true

</dl> See [W3C CORS](http://www.w3.org/TR/cors/)