WSO2 API Manager CORS

Question

I'd like to enable CORS on my WSO2 API Manager instance for all endpoints. I've been through the documentation (which is great) and it suggests altering the repository/conf/api-manager.xml file as there is a CORS configuration node within it (below).

<!--Configuration to enable/disable sending CORS headers in the Gateway response
    and define the Access-Control-Allow-Origin header value.-->
<CORSConfiguration>

    <!--Configuration to enable/disable sending CORS headers from the Gateway-->
    <Enabled>true</Enabled>

    <!--The value of the Access-Control-Allow-Origin header. Default values are
        API Store addresses, which is needed for swagger to function.-->
    <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

    <!--Configure Access-Control-Allow-Methods-->
    <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

    <!--Configure Access-Control-Allow-Headers-->
    <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type</Access-Control-Allow-Headers>

<!--Configure Access-Control-Allow-Credentials-->
<!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
     It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*)
-->
<Access-Control-Allow-Credentials>true</Access-Control-Allow-Credentials>

</CORSConfiguration>

This file doesn't seem to apply this CORS configuration to all endpoints though. I receive the correct Access Control headers when making requests to API endpoints that I've published but I don't receive them when I hit the token endpoints (default - '/token', '/revoke').

How am I able to achieve this?

Answer 1

CORS configurations are valid for the APIs created using the Publisher applications. The token apis (- '/token', '/revoke') are not covered from this configurations.

CORS headers are handled using a handler

org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler

If you open a synapse configuration for an api in /repository/deployment/server/synapse-configs/default/api you would find this handler.

You can set this handler to the RevokeAPI.xml and TokenAPI.xml as well. (these are in the same location /repository/deployment/server/synapse-configs/default/api). It would be something like this in the configuration file

 <handlers>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
     <property name="apiImplementationType" value="ENDPOINT"/>
    </handler>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.common.SynapsePropertiesHandler"/>
</handlers>

Answer 2

The CORS configuration in the api-manager.xml will be only applied for the APIs created through the API Manager. It will not apply those configurations to Token APIs such as /token and /revoke.

The token API related configurations are located in {PRODUCT_HOME}/repository/deployment/server/synapse-configs/default/api directory.

You can edit the _TokenAPI_.xml and add CORS headers if you needed. You may refer[1] as useful resource.

[1] - http://blog.lakmali.com/2013/10/how-to-add-additional-headers-to-wso2.html