Looking for a workaround for CORS when OAuth enabled with RESTLooking for a workaround for CORS when OAuth enabled with RESThttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1135862572026-04-04T03:13:56Z2026-04-04T03:13:56ZRE: Looking for a workaround for CORS when OAuth enabled with RESTEric COQUELINhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1137075572019-05-22T12:00:01Z2019-05-22T12:00:01Z<html><head></head><body>After analyzing, it appears that Whiteboard became more strict. Now it requires to se target<br><pre><code>@Component(property = { "osgi.jaxrs.extension=true",
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;"osgi.jaxrs.name=LiferayCorsFilter", "osgi.jaxrs.application.select=(osgi.jaxrs.name=*)" }, immediate = true, configurationPid = "com.ajizan.liferay.cors.configuration.LiferayCORSConfiguration", service = ContainerResponseFilter.class)</code></pre><br>Now it works</body></html>Eric COQUELIN2019-05-22T12:00:01ZRE: Looking for a workaround for CORS when OAuth enabled with RESTEric COQUELINhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1137072162019-05-22T11:35:47Z2019-05-22T11:35:47ZHello community,<br />I just upgraded to 7.1 GA4 and the code above doesn't work anymore.<br />It looks like the ContainerResponseFilter is no more taken into account even if the component is properly registered.<br />On the release notes, I haven't found any breaking change or anything related to ContainerResponseFilter, thus it is either a bug either a choice which has not been documented.<br />Can anyone help?<br />Thank youEric COQUELIN2019-05-22T11:35:47ZRE: Looking for a workaround for CORS when OAuth enabled with RESTEric COQUELINhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1135926542019-05-10T09:47:40Z2019-05-10T09:47:40ZHi Christoph,<br /><br />Thank you for replying.<br /><br />I know there are third party solutions such as reverse proxy but I want to find a solution with Liferay. This is also an approach to learn more about how the security works with Liferay.<br /><br />I found some additional mechanisms.<br /><br />First of all, It seems I can't avoid the CORS Filter. I understand that I should avoid giving access to any origin for security reason. But that component is required. Then, I need to add a new VerifierAuth in the pipeline otherwise my OPTIONS requests are rejected.<br /><br />Can you please have a look at my source code that I am pleased to share with the community ?<br /><br /><a href="https://github.com/Ajizan/liferay-cors">https://github.com/Ajizan/liferay-cors</a><br /><br />By the way, If I try to restrict the filter to a given URL using "auth.verifier.LiferayOptionsAuthVerifier.urls.includes", it doesn't apply. My REST service are deployed on /o/immobilio/... but if I set the above URL to "/o/immobilio/*" or even "/o/*", it doesn't work. And when I log the context path, it gives me "/o/immobilio", then I don't understand.<br /><br />Thank you in advance for any feedbacks.Eric COQUELIN2019-05-10T09:47:40ZRE: Looking for a workaround for CORS when OAuth enabled with RESTChristoph Rabelhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1135866212019-05-09T17:51:33Z2019-05-09T17:51:33ZNot sure if this helps you, but I usually do stuff like this in a reverse proxy. It's quite easy to do it there and also very flexible.<br /><br /><br />Note: It's not best practice to add "Access-Control-Allow-Origin: *" header, except maybe in development environments.<br />I usually use something like this. Basically a whitelist of domains that may access my service using cors. The same idea can, of course, be used in other implementations too.<br /><br />https://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domainsChristoph Rabel2019-05-09T17:51:33ZLooking for a workaround for CORS when OAuth enabled with RESTEric COQUELINhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1135862562019-05-09T17:38:43Z2019-05-09T17:38:43Z<html><head></head><body>Dear Community,<br><br>I have created some JAXRS services which work well. Then, I decided to apply some security using OAuth.<br><br>Using a Postman, I can perform any request without any issue but when sending same requests from an Angular application, it starts with an OPTION request for CORS (Cross Origin) and it fails with a 403. I disabled OAuth and added a filter to enable CORS<br><br><pre><code>@Component(property = { "osgi.jaxrs.extension=true",
"osgi.jaxrs.name=Filter.CORS" }, service = ContainerResponseFilter.class)
public class CorsFilter implements ContainerResponseFilter {
private Log _log = LogFactoryUtil.getLog(getClass());
@Override
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
throws IOException {
if (_log.isDebugEnabled()) {
_log.debug("Writing CORS headers");
}
MultivaluedMap<string, object> headers = responseContext.getHeaders();
headers.add("Access-Control-Allow-Origin", "*");
headers.add("Access-Control-Allow-Headers", "Origin,Content-Type,Accept,Authorization,content-type");
headers.add("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS,HEAD,PATCH");
headers.add("Access-Control-Max-Age", "1209500");
}
}</string,></code></pre><br>Then my requests work from my Angular App as the given filter allows CORS.<br><br>When enabling again OAuth, it fails again. It looks like the servlet request is being catched on top of this Filter (no log displayed anymore) and it doesn't work obviously.<br><br>With 6.2, we had to setup a filter at Tomcat web.xml but I assume things have improved.<br><br>Can anyone share with me any tips to solve this issue properly in the DXP way ?<br><br>Thank you,</body></html>Eric COQUELIN2019-05-09T17:38:43Z