Cross Origin Resource Sharing (CORS) can be enabled and configured in the alfresco-global.properties file.
CORS is disabled by default. To enable it, set the following property to true:
cors.enabled=
Important: This feature is only available when using Tomcat.
If CORS is enabled then CORS requests can be made to all endpoints under /alfresco.
Use the following properties to configure CORS:
Property | Description |
---|---|
cors.allowed.origins | Set the hosts allowed in cross origin requests. By default, the value is empty, which forbids clients hosted on any server to access the resources. You can specify a host, for example, http://www.example.org:8080, which will only allow requests from this host. A * value permits all clients hosted on any server to access the resources. It’s recommended to restrict this setting to origins within your organization. |
cors.allowed.methods | Set which HTTP requests are permitted. Possible values should be
comma separated and include:
|
cors.allowed.headers | Set which headers are permitted in request headers, manually or
programmatically in addition to the ones set by the user agent. Values
should be comma separated and include:
|
cors.exposed.headers | Set which headers are whitelisted for the client to access from the server. |
cors.support.credentials | Set whether HTTP cookie and HTTP authentication-based credentials are allowed. This is a boolean value. |
cors.preflight.maxage | Set the maximum time (in minutes) for caching a preflight request. Preflighted requests use the OPTIONS method to verify resource availability and then request it. |
The following is an example configuration for the alfresco-global.properties file:
cors.enabled=true cors.allowed.origins=http://alfresco.com:8080 cors.allowed.methods=GET,POST,PUT cors.allowed.headers=Authorization,Content-Type,Cache-Control,X-Requested-With,X-CSRF-Token cors.exposed.headers=Access-Control-Allow-Origin,Access-Control-Allow-Credentials cors.support.credentials=true cors.preflight.maxage=10