uPortal

My testing grounds for changes to be merged to Apereo uPortal

This project is maintained by ChristianMurphy

Security in uPortal

Table of Contents

  1. CORS Filter

CORS Filter

The CORS Filter is an implementation of W3C’s CORS (Cross-Origin Resource Sharing) specification, which enables cross-origin requests.

CORS Filter Configuration Options

cors.allowed.origins</td>

A list of origins that are allowed to access the resource. A * can be specified to enable access to resource from any origin. Otherwise, a whitelist of comma separated origins can be provided. Eg: http://www.w3.org, https://www.apache.org. Defaults: * (Any origin is allowed to access the resource).

cors.allowed.methods</td>

A comma separated list of HTTP methods that can be used to access the resource, using cross-origin requests. These are the methods which will also be included as part of Access-Control-Allow-Methods header in pre-flight response. Eg: GET, POST. Defaults: GET, HEAD

cors.allowed.headers</td>

A comma separated list of request headers that can be used when making an actual request. These headers will also be returned as part of Access-Control-Allow-Headers header in a pre-flight response. Eg: Origin,Accept. Defaults: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers

cors.exposed.headers</td>

A comma separated list of headers other than simple response headers that browsers are allowed to access. These are the headers which will also be included as part of Access-Control-Expose-Headers header in the pre-flight response. Eg: X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG. Default: None. Non-simple headers are not exposed by default.

cors.preflight.maxage</td>

The amount of seconds, browser is allowed to cache the result of the pre-flight request. This will be included as part of Access-Control-Max-Age header in the pre-flight response. A negative value will prevent CORS Filter from adding this response header to pre-flight response. Defaults: 1800

cors.support.credentials</td>

A flag that indicates whether the resource supports user credentials. This flag is exposed as part of Access-Control-Allow-Credentials header in a pre-flight response. It helps browser determine whether or not an actual request can be made using credentials. Defaults: true

cors.request.decorate</td>

A flag to control if CORS specific attributes should be added to HttpServletRequest object or not. Defaults: true

</dl> See [W3C CORS](http://www.w3.org/TR/cors/)