Enabling Cross-Origin Resource Sharing (CORS) in Open Liberty

duration 15 minutes

Learn how to enable Cross-Origin Resource Sharing (CORS) in Open Liberty without writing Java code.

What you’ll learn

You will learn how to add two server configurations to enable CORS. Next, you will write and run tests to validate that the CORS configurations work. These tests send two different CORS requests to a REST service that has two different endpoints.

CORS and its purpose

Cross-Origin Resource Sharing (CORS) is a W3C specification and mechanism that you can use to request restricted resources from a domain outside the current domain. In other words, CORS is a technique for consuming an API served from an origin different than yours.

CORS is useful for requesting data such as images, videos, scripts, style sheets, iFrames, web fonts, and many other kinds of data from websites other than yours.

However, you cannot request resources from outside of your website domain without asking for permission from the other website domains. In JavaScript, cross-origin requests with an XMLHttpRequest API and Ajax cannot happen unless CORS is enabled in the server that is receiving the request. Otherwise, same-origin security policy prevents the requests.

A web page that is served from the http://aboutcors.com server sends a request to get data to the http://openliberty.io server. Because of security concerns, browsers block the server response unless the server adds HTTP response headers to allow the web page to consume the data.

Different ports and different protocols also trigger CORS. For example, the http://abc.xyz:1234 domain is considered to be different from the https://abc.xyz:4321 domain.

Open Liberty has built-in support for CORS that gives you an easy and powerful way to configure the runtime to handle CORS requests without the need to write Java code.

Types of CORS requests

Familiarize yourself with two kinds of CORS requests to understand the attributes that you will add in the two CORS configurations.

Simple CORS request

According to the CORS specification, an HTTP request is a simple CORS request if the request method is GET, HEAD, or POST. The header fields are any one of the Accept, Accept-Language, Content-Language, or Content-Type headers. The Content-Type header has a value of application/x-www-form-urlencoded, multipart/form-data, or text/plain.

When clients, such as browsers, send simple CORS requests to servers on different domains, the clients include an Origin header with the client host name as the value. If the server allows the origin, the server includes an Access-Control-Allow-Origin header with a list of allowed origins or an asterisk (*) in the response back to the client. The asterisk indicates that all origins are allowed to access the endpoint on the server.

Preflight CORS request

A CORS request is not a simple CORS request if a client first sends a preflight CORS request before it sends the actual request. For example, the client sends a preflight request before it sends a DELETE HTTP request. To determine whether the request is safe to send, the client sends a preflight request, which is an OPTIONS HTTP request, to gather more information about the server. This preflight request has the Origin header and other headers to indicate the HTTP method and headers of the actual request to be sent after the preflight request.

Once the server receives the preflight request, if the origin is allowed, the server responds with headers that indicate the HTTP methods and headers that are allowed in the actual requests. The response might include more CORS-related headers.

Next, the client sends the actual request, and the server responds.

Getting started

The fastest way to work through this guide is to clone the Git repository and use the projects that are provided inside:

git clone https://github.com/openliberty/guide-cors.git
cd guide-cors

The start directory contains the starting project that you will build upon.

The finish directory contains the finished project, which is what you will build.

Enabling CORS

You will use a REST service that is already provided for you to test your CORS configurations. Find the service in the start/src/main/java/io/openliberty/guides/cors/ directory.

Send the simple request to the /configurations/simple endpoint and the preflight request to the /configurations/preflight endpoint.

Enabling a simple CORS configuration

Configure the server to allow the /configurations/simple endpoint to accept a simple CORS request. Add a simple CORS configuration to the server.xml file in the start/main/liberty/config/ directory:

<cors domain="/configurations/simple"
    allowedOrigins="openliberty.io"
    allowedMethods="GET"
    allowCredentials="true"
    exposeHeaders="MyHeader"/>

The simple CORS configuration contains the following attributes:

domain

The endpoint to be configured for CORS requests. Set the value to /configurations/simple.

allowedOrigins

Origins that are allowed to access the endpoint. Set the value to openliberty.io.

allowedMethods

HTTP methods that a client is allowed to use when it makes requests to the endpoint. Set the value to GET.

allowCredentials

A boolean that indicates whether the user credentials can be included in the request. Set the value to true.

exposeHeaders

Headers that are safe to expose to clients. Set the value to MyHeader.

Save the changes to the server.xml file. The /configurations/simple endpoint is now ready to be tested with a simple CORS request.

Open TestCors.java file in the start/src/test/java/it/io/openliberty/guides/cors/ directory. Add a test to test the simple CORS configuration you just added:

    @Test
    public void testSimpleCorsRequest() throws IOException  {
        HttpURLConnection connection = HttpUtils.sendRequest(
            pathToHost + "configurations/simple",
            "GET",
            TestData.simpleRequestHeaders);
        checkCorsResponse(connection, TestData.simpleResponseHeaders);

        printResponseHeaders(connection, "Simple CORS Request");
    }

The testSimpleCorsRequest test simulates a client. It first sends a simple CORS request to the /configurations/simple endpoint, and then it checks for a valid response and expected headers. Lastly, it prints the response headers for you to inspect.

The request is a GET HTTP request with the following header:

Header

Value

Origin

openliberty.io

Expect the following response headers and values if the simple CORS request is successful, and the server is correctly configured:

Header

Value

Access-Control-Allow-Origin

openliberty.io

Access-Control-Allow-Credentials

true

Access-Control-Expose-Headers

MyHeader

Go to the start/ directory and run the following command:

mvn install

The testSimpleCorsRequest test passes and prints the response headers with their values from the endpoint. The /configurations/simple endpoint now accepts simple CORS requests.

Enabling a preflight CORS configuration

Configure the server to allow the /configurations/preflight endpoint to accept a preflight CORS request. Add another CORS configuration in the server.xml file in the start/main/liberty/config/ directory:

<cors domain="/configurations/preflight"
    allowedOrigins="*"
    allowedMethods="OPTIONS, DELETE"
    allowCredentials="true"
    allowedHeaders="MyOwnHeader1, MyOwnHeader2"
    maxAge="10"/>

The preflight CORS configuration has different values than the simple CORS configuration.

domain

Set the value to /configurations/preflight because the domain is a different endpoint.

allowedOrigins

Set the value to an asterisk (*) to allow requests from all origins.

allowedMethods

Set the value to OPTIONS, DELETE.

allowCredentials

Set the value to true.

Add two new attributes:

maxAge

The number of seconds that a client can cache a response to a preflight request. Set the value to 10.

allowedHeaders

Headers that a client can use in requests. Set the value to MyOwnHeader1, MyOwnHeader2.

Save the changes to the server.xml file. The /configurations/preflight endpoint is now ready to be tested with a preflight CORS request.

Add another test to the TestCors.java file in the start/src/test/java/it/io/openliberty/guides/cors/ directory to test the preflight CORS configuration that you just added:

    @Test
    public void testPreflightCorsRequest() throws IOException {
        HttpURLConnection connection = HttpUtils.sendRequest(
            pathToHost + "configurations/preflight",
            "OPTIONS",
            TestData.preflightRequestHeaders);
        checkCorsResponse(connection, TestData.preflightResponseHeaders);

        printResponseHeaders(connection, "Preflight CORS Request");
    }

The testPreflightCorsRequest test simulates a client sending a preflight CORS request. It first sends the request to the /configurations/preflight endpoint, and then it checks for a valid response and expected headers. Lastly, it prints the response headers for you to inspect.

The request is an OPTIONS HTTP request with the following headers:

Header

Value

Origin

anywebsiteyoulike.com

Access-Control-Request-Method

DELETE

Access-Control-Request-Headers

MyOwnHeader2

Expect the following response headers and values if the preflight CORS request is successful, and the server is correctly configured:

Header

Value

Access-Control-Allow-Max-Age

10

Access-Control-Allow-Origin

anywebsiteyoulike.com

Access-Control-Allow-Methods

OPTIONS, DELETE

Access-Control-Allow-Credentials

true

Access-Control-Allow-Headers

MyOwnHeader1, MyOwnHeader2

The Access-Control-Allow-Origin header has a value of anywebsiteyoulike.com because the server is configured to allow all origins, and the request came with an origin of anywebsiteyoulike.com.

Go to the start/ directory and run the following command:

mvn install

The testPreflightCorsRequest test passes and prints the response headers with their values from the endpoint. The /configurations/preflight endpoint now allows preflight CORS requests.

If you want, modify the server configuration and the test code to experiment with the various CORS configuration attributes.

Great work! You’re done!

You enabled CORS support in Open Liberty. You added two different CORS configurations to allow two kinds of CORS requests in the server.xml file.

Contribute to this guide

Is something missing or broken? Raise an issue, or send us a pull request.