CAS 5.x CORS questions

[Aaron Bennett]

Greetings,

We've got a need to enable the CORS headers in CAS.

The document here: https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests shows how to enable them, but there's no explanation of what the following attributes mean:

# cas.httpWebRequest.cors.enabled=false
# cas.httpWebRequest.cors.allowCredentials=false
# cas.httpWebRequest.cors.allowOrigins[0]=
# cas.httpWebRequest.cors.allowMethods[0]=*
# cas.httpWebRequest.cors.allowHeaders[0]=*
# cas.httpWebRequest.cors.maxAge=3600
# cas.httpWebRequest.cors.exposedHeaders[0]=

We really only need this for one service. Is there a way to enable it, or allow it, per-service? What do all of the other attribute represent?

Thanks,

Aaron Bennett


---
Aaron Bennett
Manager of Systems Administration
Clark University ITS

[Nick Petersen]

To enable it for one Origin, specify the full service URL in the allowOrigins[0] property.  Example:

cas.httpWebRequest.cors.enabled:            true

cas.httpWebRequest.cors.allowCredentials:   true

cas.httpWebRequest.cors.allowOrigins[0]:    'full.url'

If you need to add an additional service:

cas.httpWebRequest.cors.allowOrigins[1]:    'next.full.url'

If you need to allow any service, you can set allowOrigins[0] to "*".  This will enable it for all services.  Note that you cannot use the star like a wildcard, like '*.full.url'.

-Nick

--

Nathaniel N. Petersen
Systems Architect
IT - Administrative Information Systems
University of Northern Iowa 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR03MB3169D7496166D5A91F1A1133A17B0%40BN6PR03MB3169.namprd03.prod.outlook.com.

[Aaron Bennett]

Thank you – I put that in place, but any time I have:

 

cas.httpWebRequest.cors.enabled:            true

 

no matter what the value of  cas.httpWebRequest.cors.allowOrigins[0] is, it returns “Invalid CORS request”

 

I’ve tried both the exact URL of calling app and: cas.httpWebRequest.cors.allowOrigins:    '*'

 

This happens even with an app that doesn’t send any CORS requests.

 

 

Does this ring a bell?  I’m using 3.5.8.

 

Best,

 

Aaron

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAWVSYRN-O_cN6LfXvH1aGPHOz7m3BNQQFbdcDyJ6hXE2x9CKQ%40mail.gmail.com.

[Andy Ng]

Hi Aaron,

> I’m using 3.5.8.

Does you mean you are using CAS 3.5.8? If so then you are reading the wrong documentation.

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests is only for 5.2.x, as you can see in the URL.

Your best bet is to find the CAS 3.5.8 documentation and goes from there, I am not familiar with CAS 3 so I also don't know where you can find the documentation.

Cheers!

- Andy