I'd like to enable CORS on my WSO2 API Manager instance for all endpoints. I've been through the documentation (which is great) and it suggests altering the repository/conf/api-manager.xml file as there is a CORS configuration node within it (below).
<!--Configuration to enable/disable sending CORS headers in the Gateway response
and define the Access-Control-Allow-Origin header value.-->
<CORSConfiguration>
<!--Configuration to enable/disable sending CORS headers from the Gateway-->
<Enabled>true</Enabled>
<!--The value of the Access-Control-Allow-Origin header. Default values are
API Store addresses, which is needed for swagger to function.-->
<Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>
<!--Configure Access-Control-Allow-Methods-->
<Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>
<!--Configure Access-Control-Allow-Headers-->
<Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type</Access-Control-Allow-Headers>
<!--Configure Access-Control-Allow-Credentials-->
<!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*)
-->
<Access-Control-Allow-Credentials>true</Access-Control-Allow-Credentials>
</CORSConfiguration>
This file doesn't seem to apply this CORS configuration to all endpoints though. I receive the correct Access Control headers when making requests to API endpoints that I've published but I don't receive them when I hit the token endpoints (default - '/token', '/revoke').
How am I able to achieve this?
CORS configurations are valid for the APIs created using the Publisher applications. The token apis (- '/token', '/revoke') are not covered from this configurations.
CORS headers are handled using a handler
org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler
If you open a synapse configuration for an api in /repository/deployment/server/synapse-configs/default/api you would find this handler.
You can set this handler to the RevokeAPI.xml and TokenAPI.xml as well. (these are in the same location /repository/deployment/server/synapse-configs/default/api). It would be something like this in the configuration file
<handlers>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
<property name="apiImplementationType" value="ENDPOINT"/>
</handler>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
<handler class="org.wso2.carbon.apimgt.gateway.handlers.common.SynapsePropertiesHandler"/>
</handlers>
The CORS configuration in the api-manager.xml will be only applied for the APIs created through the API Manager. It will not apply those configurations to Token APIs such as /token and /revoke.
The token API related configurations are located in {PRODUCT_HOME}/repository/deployment/server/synapse-configs/default/api
directory.
You can edit the _TokenAPI_.xml
and add CORS headers if you needed. You may refer[1] as useful resource.
[1] - http://blog.lakmali.com/2013/10/how-to-add-additional-headers-to-wso2.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With