Type: Technical Documentation
Affects Version/s: 7.3.X, 7.4.X, Master
Component/s: Application Security
Sprint:Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
Type of Documentation:Developer
Until this issue, CORS support has been conditional on the request from an external site being made with OAuth2; so we have created a property that facilitates the work for developers: it allows to activate CORS when you're using Portal Session or Basic Auth.
We have added a new property to portal.properties:
It defaults to false and if it is activated (set to true) allows CORS without a guest security context or client authorized using OAuth 2.0; we don't recommend activate it in a production environment.
At portal-developer.properties the default value is true.
Any developer can work with this property, setting it to true to allows CORS using Portal Session or Basic Auth, we understand that this will be useful during the development phase of APIs or any development involving requests between different domains.
We have simply added the property and a new check of it:
- portal.properties: New cors.disable.authorization.context.check property, default value is false for a production environment.
- portal-developer.properties: New cors.disable.authorization.context.check property, default value is true for developer environment.
- CORSServletFilter and PortalCORSServletFilter: We check the value of the property during the CORS filter requests.