This article covers a Bloomreach Experience Manager version 11. There's an updated version available that covers our most recent release.

Enable RESTful Service CORS Support

Introduction

Goal

Enable CORS support to allow access to Hippo RESTful services via AJAX.

Use Case

Calling a Hippo RESTful service via Ajax confronts you with the same-origin policy. By default, browsers do not allow cross-domain Ajax requests. Hippo supports Cross-Origin Resource Sharing (CORS) to allow such cross-domain requests.

This page describes how to enable CORS for custom RESTful services that were initially configured through the REST Services Setup tool in Essentials.

Enable CORS

To enable CORS in a Bloomreach Experience Manager RESTful service, first add one extra CXF dependency to your project's site module:

site/pom.xml

<dependency>
  <groupId>org.apache.cxf</groupId>
  <artifactId>cxf-rt-rs-security-cors</artifactId>
  <version>${cxf.version}</version>
</dependency> 

Second, modify the following Spring configuration file in your project's site module:

site/src/main/resources/META-INF/hst-assembly/overrides/spring-plain-rest-api.xml

Add a jaxrsRestCorsFilter bean as in the example below:

  <bean id="jaxrsRestCorsFilter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter" />

Find the essentialsRestAllEntityProviders bean and add a reference to jaxrsRestCorsFilter to the sourceList property as in the example below (line marked with comment "enable CORS"):

  <bean id="essentialsRestAllEntityProviders" class="org.springframework.beans.factory.config.ListFactoryBean">
    <property name="sourceList">
      <list>
        <ref bean="jaxrsRestCorsFilter"/> <!-- enable CORS -->
        <ref bean="jaxrsRestJsonProvider"/>
        <ref bean="jaxrsHippoContextProvider"/>
        <ref bean="jaxrsRestExceptionMapper"/>
      </list>
    </property>
  </bean>

Each call to the RESTful service that includes an Origin HTTP header will now automatically include the following header in the response:

Access-Control-Allow-Origin: *

That will grant all domains access to the RESTful service. More finegrained access control can be achieved by configuring the jaxrsRestCorsFilter Spring bean, or by adding annotations to your REST resource classes. See the CXF CORS documentation for examples.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?