-
Type:
Technical Documentation
-
Status: Closed
-
Priority:
Minor
-
Resolution: Completed
-
Affects Version/s: 7.3.X, 7.4.X, Master
-
Fix Version/s: 7.3.X, 7.3.6 CE GA7
-
Component/s: Application Security
-
Labels:None
-
Sprint:Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
-
Type of Documentation:Developer
Background
Until this issue, CORS support has been conditional on the request from an external site being made with OAuth2; so we have created a property that facilitates the work for developers: it allows to activate CORS when you're using Portal Session or Basic Auth.
Features
We have added a new property to portal.properties:
#
# Set this to true to allow CORS without a guest security context or client
# authorized using OAuth 2.0.
#
# Env: LIFERAY_CORS_PERIOD_DISABLE_PERIOD_AUTHORIZATION_PERIOD_CONTEXT_PERIOD_CHECK
#
cors.disable.authorization.context.check=false
It defaults to false and if it is activated (set to true) allows CORS without a guest security context or client authorized using OAuth 2.0; we don't recommend activate it in a production environment.
At portal-developer.properties the default value is true.
Steps
Any developer can work with this property, setting it to true to allows CORS using Portal Session or Basic Auth, we understand that this will be useful during the development phase of APIs or any development involving requests between different domains.
Code
We have simply added the property and a new check of it:
- portal.properties: New cors.disable.authorization.context.check property, default value is false for a production environment.
- portal-developer.properties: New cors.disable.authorization.context.check property, default value is true for developer environment.
- CORSServletFilter and PortalCORSServletFilter: We check the value of the property during the CORS filter requests.