CORS handling

CSome relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives for handling that.

Java Servlet Container

At least Jetty and Tomcat have their own Filter implementations for handling CORS requests:

Jetty: https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/servlets/CrossOriginFilter.html
- Example filter configuration for web.xml: https://shibboleth.atlassian.net/wiki/spaces/KB/pages/1405812805
Tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

Spring CORS Configuration

IdP V4.2 provides a native/proprietary mechanism for supporting this via Spring. A global bean called shibboleth.CorsConfigurations may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL tree (e.g., /oidc/token correponds with https://idp.example.org/idp/profile/oidc/token).

By default, the map is not defined and thus Spring doesn’t provide any CORS handling.

The following example contains an example that activates the Spring CORS handling for the OP plugin’s token -endpoint:

<util:map id="shibboleth.CorsConfigurations" value-type="org.springframework.web.cors.CorsConfiguration">
    <entry key="/oidc/token">
         <bean class="org.springframework.web.cors.CorsConfiguration"
             p:allowedOrigins="http://localhost:8080,http://localhost:8081"
             p:allowedMethods="POST"
             p:allowedHeaders="Authorization"
             p:maxAge="1800" />
    </entry>
</util:map>

This enables the CORS pre-flight request handling from two example origins, when the HTTP request header Access-Control-Request-Method is set to POST.