CORS support on the embedded Apache Tomcat

Applies to: Denodo 8.0 , Denodo 7.0 , Denodo 6.0
Last modified on: 04 Jun 2020
Tags: Security Tomcat Web Services

Download document

You can translate the document:

Goal

This document describes how to configure the embedded Apache Tomcat to enable CORS support (Cross-Origin Resource Sharing).

Content

The same-origin policy is an important security concept implemented by web browsers to prevent Javascript code from making requests against a different origin (e.g., different domain) than the one from which it was served. Although the same-origin policy is effective in preventing requests from different origins, it also prevents legitimate interactions between a server and clients of a known and trusted origin.

CORS is a technique for relaxing the same-origin policy, allowing Javascript on a web page to consume information served from a different origin.

From version 5.5 update 20150629, 6.0, 7.0 and 8.0

CORS support can be easily configured through the VDP Administration Tool. Detailed information is available in the section “Cross-origin resource sharing” of the Virtual DataPort Administration Guide.

For previous versions

To enable CORS in Apache Tomcat the javax.servlet.Filter interface has to be implemented. This filter is an implementation of W3C's CORS (Cross-Origin Resource Sharing) specification, which is a mechanism that enables cross-origin requests.  It intercepts incoming HTTP requests and if they are identified as cross-origin, it applies the proper CORS policy and headers, before passing them on to the actual targets (servlets, JSPs, static XML/HTML documents).

Apache Tomcat provides its own implementation since its 7.0 version . As Denodo’s Embedded Apache Tomcat is an earlier 5.5.3 version it is necessary to provide another implementation to the container if using Denodo Platform 5.5 or earlier.

For the sake of an example we will use CORS-Filter as the implementation of this filter. Other implementations can be used, more information can be found here. 

After downloading the cors-filter-<version>.jar and java-property-utils-<version>.jar files from CORS-filter, they have to be placed under: <DENODO_HOME>/resources/apache-tomcat/common/lib.

Then, edit the <DENODO_HOME>/resources/apache-tomcat/conf/web.xml file to include:

<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

It is important to note that simply using the above configuration options in the web.xml file will enable public CORS access to the server. You may want to filter who can access to CORS or other advanced configuration options. You can add more parameters to this filter, find more information in: http://software.dzhuvinov.com/cors-filter-configuration.html 

To enable CORS for a specific REST web service edit the individual web.xml file associated to the web service adding the same xml configuration:

<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/views/*</url-pattern>
</filter-mapping>

Remember to add this as the first filter in the filter section. Once this configuration is added the web container needs to be restarted.

Now, we are going to see a more complex scenario where we want to have different filters for different views within a web service:

Picture that we have one REST web service in VDP called testws, with two views test and testcustom.

To enable CORS for the testcustom operation just for the origin http://example.com and to enable CORS for the test operation just for the origin http://denodo.com.

We can configure this behavior just adding this as the first filters in the web.xml file of the testws webapp:



<filter>
<filter-name>CorsFilter1</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>http://example.com</param-value>
</init-param>  
</filter>
<filter-mapping>
<filter-name>CorsFilter1</filter-name>
<url-pattern>/views/testcustom</url-pattern>
</filter-mapping>

<filter>
<filter-name>CorsFilter2</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
<init-param>
<param-name>cors.allowOrigin</param-name>
<param-value>http://denodo.com</param-value>
</init-param>    
</filter>
<filter-mapping>
<filter-name>CorsFilter2</filter-name>
<url-pattern>/views/test</url-pattern>
</filter-mapping>

Once this configuration is added the web container needs to be restarted.

A very important thing to notice is that, in older versions of the Denodo Platform, this configuration is going to be overwritten every time the Web service is re-deployed.

References

Apache Tomcat 7.0 CORS filter configuration:

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

CORS filter library:

http://software.dzhuvinov.com/cors-filter.html

Questions

Ask a question
You must sign in to ask a question. If you do not have an account, you can register here

Featured content

DENODO TRAINING

Ready for more? Great! We offer a comprehensive set of training courses, taught by our technical instructors in small, private groups for getting a full, in-depth guided training in the usage of the Denodo Platform. Check out our training courses.

Training