Enabling CORS

Cross-Origin Resource Sharing (CORS) is a W3C standard that allows data sharing between domains. CORS enables web applications running in one domain to access data from another domain.

By enabling CORS on your Spectrum Technology Platform server, you can allow web applications hosted in another domain to access Spectrum Technology Platform web services.

For example, say you have a web application hosted at webapp.example.com. This web application contains a JavaScript function that calls a Spectrum Technology Platform web service hosted at spectrum.example.com. Without CORS, you would need to use a proxy server to facilitate this request, which would add complexity to your implementation. With CORS, you do not need to use a proxy server. Instead, you can designate webapp.example.com as an "allowed origin", thus permitting Spectrum Technology Platform to respond to web service requests that originate from the domain webapp.example.com.

To enable CORS on your Spectrum Technology Platform server:

  1. Stop the Spectrum Technology Platform server.
  2. Open this file in a text editor:

    SpectrumDirectory/server/conf/spectrum-container.properties

  3. Edit the following parameters.
    spectrum.http.cors.enabled

    Set this property to true to enable CORS. The default is false.

    spectrum.http.cors.allowedOrigins

    A comma separated list of origins that are allowed to access resources on the Spectrum Technology Platform server. The default is http://localhost:8080,http://localhost:443, which allows access to resources using the default HTTP port 8080 and the default HTTPS port of 443.

    If an allowed origin contains one or more asterisks ("*"), for example http://*.domain.com, then asterisks are converted to .* and dots characters (".") are escaped to "\." and the resulting allowed origin is interpreted as a regular expression. Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any three-letter top-level domain ( such as .com, .net, .org).

    spectrum.http.cors.allowedMethods

    A comma separated list of HTTP methods that are allowed to be used when accessing resources on the Spectrum Technology Platform server. The default value is POST,GET,OPTIONS,PUT,DELETE,HEAD.

    spectrum.http.cors.allowedHeaders

    A comma separated list of HTTP headers that are allowed when accessing resources on the Spectrum Technology Platform server. The default value is X-PINGOTHER, Origin, X-Requested-With, Content-Type, Accept. If the value is a single asterisk ("*"), all headers will be accepted.

    spectrum.http.cors.preflightMaxAge

    The number of seconds that preflight requests can be cached by the client. The default value is 1800 seconds, or 30 minutes.

    spectrum.http.cors.allowCredentials

    Indicates whether the resource allows requests with credentials. The default value is true.

  4. Save and close the file.
  5. Start the Spectrum Technology Platform server.