Enable RESTful Service CORS Support
Introduction
Goal
Enable CORS support to allow access to Hippo RESTful services via AJAX.
Use Case
Calling a Hippo RESTful service via Ajax confronts you with the same-origin policy. By default, browsers do not allow cross-domain Ajax requests. Hippo supports Cross-Origin Resource Sharing (CORS) to allow such cross-domain requests.
This page describes how to enable CORS for custom RESTful services that were initially configured through the REST Services Setup tool in Essentials.
Enable CORS
To enable CORS in a Bloomreach Experience Manager RESTful service, first add one extra CXF dependency to your project's site module:
site/pom.xml
<dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-rt-rs-security-cors</artifactId> <version>${cxf.version}</version> </dependency>
Second, modify the following Spring configuration file in your project's site module:
site/src/main/resources/META-INF/hst-assembly/overrides/spring-plain-rest-api.xml
Add a jaxrsRestCorsFilter bean as in the example below:
<bean id="jaxrsRestCorsFilter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter" />
Find the essentialsRestAllEntityProviders bean and add a reference to jaxrsRestCorsFilter to the sourceList property as in the example below (line marked with comment "enable CORS"):
<bean id="essentialsRestAllEntityProviders" class="org.springframework.beans.factory.config.ListFactoryBean"> <property name="sourceList"> <list> <ref bean="jaxrsRestCorsFilter"/> <!-- enable CORS --> <ref bean="jaxrsRestJsonProvider"/> <ref bean="jaxrsHippoContextProvider"/> <ref bean="jaxrsRestExceptionMapper"/> </list> </property> </bean>
Each call to the RESTful service that includes an Origin HTTP header will now automatically include the following header in the response:
Access-Control-Allow-Origin: *
That will grant all domains access to the RESTful service. More finegrained access control can be achieved by configuring the jaxrsRestCorsFilter Spring bean, or by adding annotations to your REST resource classes. See the CXF CORS documentation for examples.