Enhanced Cross Origin Resource Sharing Configuration | HCL Digital Experience
Enhanced Cross Origin Resource Sharing Configuration adds new options for HCL Digital Experience administrators to set configuration for CORS using a WP configuration service in the IBM WebSphere Application Server resource environment provider. This new configuration option is supported with HCL DX 9.5 Container Update CF_195 and higher, and HCL DX CF_196 and higher for customers deploying to on premises platforms.
Introduction
CORS stands for "Cross Origin Resource Sharing" and describes a pattern on how to share data between different source origins for JavaScript. There is high demand within the Web Community to mashup services and combine them in a common UI. Up until this option, Web browsers did not allow requests to systems to be send across Origin borders. CORS changes this paradigm and now pushes the responsibility for such verifications to the Web server. To support this, the server side needs to differentiate if the incoming request is trusted and should be processed, or if it should be blocked.
How to work with CORS in HCL DX
It is possible to control which origins can work with an instance of HCL Digital Experience core Portal and Web Content services. By default, DX only grants JavaScript of the same origin access to functions of the DX server. You can modify this default by configuring a list of trusted domains inside of DX. Prior to this configuration update, the list of trusted domains had to be defined in the DX web.xml, which added steps to deploy and update.
Reference the existing documentation on the HCL Support Site – Technote that presents these steps, for the current supported deployment pattern: DX CORS Headers
This enhancement, available with HCL DX 9.5 Container Update CF_195 and higher enables the configuration to be set inside the WP ConfigService IBM WebSphere Application Server resource environment provider. The change requires a restart of HCL DX Core.
Sample
com.ibm.portal.cors.domain.0.entry=http://
test.hcl.com com.ibm.portal.cors.domain.0.methods=PUT, GET
com.ibm.portal.cors.domain.0.allowheaders=*
com.ibm.portal.cors.domain.0.exposeheaders=MyHeader
com.ibm.portal.cors.domain.1.entry=http://test2.hcl.com
Configuration explanation
- com.ibm.portal.cors.domain.number.maxage
- Defines the max age for the granted permission. Default value is 1000.
- com.ibm.portal.cors.domain.number.methods
- Defines the methods allowed for this domain. Default is GET, OPTIONS.
- com.ibm.portal.cors.domain.number.allowheaders
- Headers to allow.
- com.ibm.portal.cors.domain.number.exposeheaders
- Headers to expose.