How to define CORS in Websphere Application Server Liberty Profile V8.5

Question

Is it possible to apply cross-origin resource sharing (CORS) in a Websphere Application Server Liberty Profile V8.5 ?

I searched the redbook but couldn't find IBM mention anything about it. (http://www.redbooks.ibm.com/abstracts/sg248076.html?Open)

It's not possibility for me to set the headers programmatically like this:

Access-Control-Allow-Origin: *

(http://enable-cors.org/server.html)

Answer 1

You have to add following jars to your WEB-INF/lib folder:

• cors-filter-1.8.jar
• java-property-utils-1.9.jar

In your web.xml you have to add following rules:

<filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
<filter-mapping>
        <filter-name>CORS</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

Answer 2

Starting with the January 2016 Beta (edit: and now in Liberty 8559), WebSphere Liberty supports CORS natively. You just configure the server.xml with the CORS options you want, here's an example:

<cors domain="/sampleApp/path"
   allowedOrigins="https://alice.com:8090"
   allowedMethods="GET, DELETE, POST"
   allowedHeaders="Accept, MyRequestHeader1"
   exposeHeaders="MyResponseHeader1"
   allowCredentials="true"
   maxAge="3600" />

The domain attribute is for the application root that you want this configuration to apply to, which means it won't affect any other context roots. The other 7 attributes follow exactly the official CORS spec (https://www.w3.org/TR/cors/), so they are pretty self explanatory.

Link to beta: https://developer.ibm.com/wasdev/blog/2016/01/15/beta-websphere-liberty-and-tools-january/

Answer 3

To extend to the CORS from ArthurDM: The documented pages where not explaining enough for me. My setup is the following and I just want to share that with you:

• Use Liberty Profile 8.5.5.9. So the CORS addition to liberty profile is not in beta only anymore.
• Use JavaEE batch and connected the batch to put all its data in the repository (not in memory).
• I wanted to use batchManagement-1.0 feature for the rest api of batch that comes with it.
• Angular 1.

Eventually the following cors setting did the trick:

    <cors domain="/ibm/api" 
       allowedOrigins="http://localhost:9080" 
       allowedMethods="GET, POST, PUT, DELETE" 
       allowedHeaders="Accept, Accept-Language, Content-Language, Content-Type" 
       exposeHeaders="Content-Type" 
       allowCredentials="true" 
       maxAge="3600" />

Good luck, and I hope it helps.