Presentation is loading. Please wait.

Presentation is loading. Please wait.

#SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software.

Published byBuck Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "#SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software."— Presentation transcript:

1 #SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software

2 #SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software

3 #SummitNow What is CORS? Cross-Origin Resource Sharing Cross Domain AJAX Calls Implemented in Browser and Server 3

4 #SummitNow What Browsers Support CORS? 4.0+3.5 + 12.0+4.0+Partial 8 & 9 10+ 4

5 #SummitNow How Does CORS Work? Nothing to implement in your javascript. The Browser & the Server do the heavy lifting. 5

6 #SummitNow How Does CORS Work? 6 Browser OPTIONS API Request

7 #SummitNow Example Code $.ajax ({ type: ”HTTP METHOD”, url: “Place to go to”, dataType: 'json’, async: false, data: '{}', beforeSend: function (xhr){ xhr.setRequestHeader('Authorization', setAuthTokenHere() }, success: function (response){ //do something }, failure: function (response) { //do something } }); 7

8 #SummitNow What About the Server Side? Alfresco does not ship with CORS support. Alfresco uses CORS as part of “Alfresco for Salesforce” to talk to Alfresco Cloud. 8

9 #SummitNow How to Enable CORS in Alfresco Add the following jars to WEB-INF/lib cors-filter java-property-utils Both can be found at http://software.dzhuvinov.com/cors-filter.html http://software.dzhuvinov.com/cors-filter.html 9

10 #SummitNow How to Enable CORS in Alfresco Modify WEB-INF/web.xml CORS com.thetransactioncompany.cors.CORSFilter CORS /service/* 10

11 #SummitNow How to Enable CORS in Alfresco What services will be called by your app? CORS /service/* /cmisatom/* /cmisbrowser/* 11

12 #SummitNow How to Enable CORS in Alfresco 12 Browser OPTIONS API Request Authentication

13 #SummitNow Filter can be placed anywhere in web.xml However… Filter mapping MUST be before authentication filters How to Enable CORS in Alfresco 13

14 #SummitNow How to Enable CORS in Alfresco Place after Global Localization Filter but before CMIS security context cleaning filter. This is true for 4.2…but may not be true for other versions of Alfresco. By rule BEFORE any security/authentication filters 14

15 #SummitNow Filter Configuration By default the CORS Filter will apply a "public access" CORS policy, allowing all cross-site requests through (including credentials/cookies). Leaving the CORS Filter at this setting would actually be fine for most situations as CORS is not about adding server security; its primary intent is to protect the browser - the legitimate JavaScript apps running in it and the user's confidential data, such as cookies. 15

16 #SummitNow Filter Configuration (cont.) cors.configurationFile properties file Setting the location using System Property (-D) init-param Or Individual init-param 16

17 #SummitNow Filter Configuration (cont.) Do not change the following defaults: cors.allowGenericHttpRequests {true|false} defaults to true cors.supportsCredentials {true|false} defaults to true. cors.maxAge {int} defaults to -1 (unspecified) How long should pre-flight requests be cached. Recommended value is 3600 (1 hour) 17

18 #SummitNow Filter Configuration (cont.) cors.allowOrigin {"*"|origin-list} defaults to * Which calling domains are allowed? ex: http://alfresco.com https://www.alfresco.com Returns 403 if the domain is not allowed 18

19 #SummitNow Filter Configuration (cont.) cors.allowSubdomains {true|false} defaults to false Your application may run in a hosted service where the subdomain is dynamically assigned ex. salesforce.com ex. https:na14.salesforce.com 19

20 #SummitNow Filter Configuration (cont.) cors.supportedMethods {method-list} defaults to "GET, POST, HEAD, OPTIONS” cors.supportedHeaders {"*"|header-list} defaults to * origin, authorization, accept 20

21 #SummitNow Filter Configuration (cont.) cors.exposedHeaders {header-list} defaults to empty list Response headers limited to: Cache- Control, Content-Language, Content- Type, Expires, Last-Modified Pragma Add additional headers to be exposed 21

22 #SummitNow Demo 22

23 #SummitNow CORS Resources http://software.dzhuvinov.com/cors-filter.html https://bitbucket.org/thetransactioncompany/cors-filter http://www.w3.org/TR/cors/ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing 23

24 #SummitNow CORS Resources http://software.dzhuvinov.com/cors-filter.html https://bitbucket.org/thetransactioncompany/cors-filter http://www.w3.org/TR/cors/ http://en.wikipedia.org/wiki/Cross-origin_resource_sharing 24

Download ppt "#SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Using JavaScript in Linked Data Applications Oshani Seneviratne Oct 12, 2010.

Using JavaScript in Linked Data Applications Oshani Seneviratne Oct 12, 2010.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.

 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.
August 25, 20151 SSO with Microsoft Active Directory Presented by: Craig Larrabee.

August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Ajax Basics The XMLHttpRequest Object. Ajax is…. Ajax is not…. Ajax is not a programming language. Ajax is not a programming language. Ajax is a methodology.

Ajax Basics The XMLHttpRequest Object. Ajax is…. Ajax is not…. Ajax is not a programming language. Ajax is not a programming language. Ajax is a methodology.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
CSC 2720 Building Web Applications Getting and Setting HTTP Headers (With PHP Examples)

CSC 2720 Building Web Applications Getting and Setting HTTP Headers (With PHP Examples)
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
JavaScript, Fourth Edition Chapter 12 Updating Web Pages with AJAX.

JavaScript, Fourth Edition Chapter 12 Updating Web Pages with AJAX.
ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:

ASP.NET Web API Udaiappa Ramachandran NHDN-Nashua.NET/Cloud Computing UG Lead Blog:
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Similar presentations

Ads by Google