Configuring Cross Origin Resource Sharing on a Liberty server

You can enable Cross Origin Resource Sharing (CORS) for your web applications on a Liberty server.

About this task

Enabling CORS will allow JavaScript clients to make requests against your application on the Liberty server even if the client and the server are on two different domains. Web browsers prevent these requests due to same-origin policy.

Procedure

  1. Ensure the server configuration has all features needed for your deployed application, such as servlet-3.0, jaxrs-1.1, and so on. Also ensure the ports and user registry settings are correct for the deployed application.
  2. Add the CORS service setting to the server.xml file. The cors element defines the CORS settings for the URL being setup in the domain.

Example

Here is an example of a CORS configuration for a web application at the sampleApp/path context root.


<cors domain="/sampleApp/path"
      allowedOrigins="https://alice.com:8090"
      allowedMethods="GET, DELETE, POST"
      allowedHeaders="accept, MyRequestHeader1"
      exposeHeaders="MyResponseHeader1"
      allowCredentials="true"
      maxAge="3600" />

Here is an example of a CORS configuration for the RESTful endpoint /ibm/api/collective. This setting will apply to all the endpoint paths which start with /ibm/api/collective including ibm/api/collective/docs.


<cors domain="/ibm/api/collective"
      allowedOrigins="https://alice.com:8090"
      allowedMethods="GET, DELETE, POST"
      allowedHeaders="accept, MyRequestHeader1"
      exposeHeaders="MyResponseHeader1"
      allowCredentials="true"
      maxAge="3600" />