1

I need to allow access to a page of my site to accept Cross Domain requests from other sites.

I know this technique is Cross Origin or Cross Domain or CORS (Cross-Origin Resource Sharing), I have seen several topics that speak of it:

How to call a page from another domain to my domain using ajax/javascript
How does Access-Control-Allow-Origin header work?
https://www.html5rocks.com/en/tutorials/cors/

But I do not know how to configure my site to allow cross domain queries.

Info: sites that need access to mine do not use browser extensions, so I have to practice cross domain.

Questions :

1. How do I configure the Access-Control-Allow-Origin header? My site is Java-EE, JSF and Spring.

2. I found two solutions to allow an external site to have the content of my page:

  • A) The first solution is a javascript script that generates a link to my page. The external site must then include this link in its page to display the content of my page. (Should I still have Access-Control-Allow-Origin ?)

Example

<script>
        (function (w,i,d,g,e,t,s) 
            w[d] = w[d]||[];
            t= i.createElement(g);
            t.async=1;
            t.src=e;
            s=i.getElementsByTagName(g)[0];
            s.parentNode.insertBefore(t, s);
        })(window, document,'_gscq','script','//widgets.getsitecontrol.com/42540/script.js');
</script>

  • B) The second solution is that the external site uses an XMLHttpRequest or AJAX request to load the page of my site : Embed an External Page Without an Iframe?

    What is the best solution (A or B)? Will the content of the page be loaded in static?

3. Is there a file in the site configuration that allows me to authorize or forbid sites (domains) to access the pages of my site? Access-Control-Allow-Origin Multiple Origin Domains?

Example

my_page_1.html: // Page of my site
// Authorize sites to make a cross domain query
external_site_1.com
external_site_2.com
external_site_3.com

my_page_2.html: // Page of my site
// Authorize sites to make a cross domain query
external_site_1.com

my_page_3.html: // Page of my site
// Authorize sites to make a cross domain query
external_site_1.com
external_site_3.com

Thank you in advance for your answers.

  • I dont think this has anything to do with spring or jsf ... I believe its a config that you need to set in your server/application. You are using spring, so ill assume you are using tomcat: [Enable CORS on tomcat](http://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter) – Ouerghi Yassine May 16 '17 at 09:13
  • For the configuration, it looks like a good solution. It remains to be seen whether ` / * url-pattern>` allows me to define the `Access-Control-Allow-Origin` on different pages and not on the whole site. It must be fesable I think. Thank you. I should also know if I should use solution **A** or **B**. An idea? –  May 16 '17 at 09:23
  • I looked but I do not know what would be the best way to send the content of my page (site 1) to the page of another site (site 2) via a request and with the least action of the Share of site 2 –  May 16 '17 at 13:35

1 Answers1

0

You can define multiple filters with different domains:

<filter>
  <filter-name>CorsFilter1</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>domain1</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter1</filter-name>
  <url-pattern>/path1/*</url-pattern>
</filter-mapping>

<filter>
  <filter-name>CorsFilter2</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>domain2, domain3</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter2</filter-name>
  <url-pattern>/path2/*</url-pattern>
  <url-pattern>/path3/*</url-pattern>
</filter-mapping>
Ouerghi Yassine
  • 1,646
  • 7
  • 39
  • 66
  • Ok, it looks good for the setup. I found the setup in the `web.xml` file. I will set up my server to allow the Cross Origin on the pages I need. This is a good start but I have to know how to provide the content of my page on a client's page from another domain with the least change to be made on the client site. If I take solution B, the client must have a script to send an Ajax request to my site in order to have the contents of my page. It is a bit constraining for him. With the solution A ,the script that generates a link to the content of my page but I do not know how to do it. –  May 16 '17 at 10:03
  • Another question, if I send requests to the client site, does it need to configure the Cross Origin on its server too? –  May 16 '17 at 10:03
  • With the filters setup you need no more config on the client side? have you tried it? – Ouerghi Yassine May 16 '17 at 12:56
  • I have not tried yet. I read the documentation and I will do some testing. –  May 16 '17 at 13:29