CORS handling

Some relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives for handling that.

Java Servlet Container

At least Jetty and Tomcat have their own Filter implementations for handling CORS requests:

• Jetty: https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/servlets/CrossOriginFilter.html

  • Example filter configuration for web.xml: Cross-origin AJAX requests for Shib-protected resourcesPreview

• Tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

Spring CORS Configuration

Spring provides a native/proprietary mechanism for supporting this and it can be configured using either a map of CORS settings or (in V5.2+) by entirely replacing the source of CORS information with an alternative implementation.

A global bean named shibboleth.CorsConfiguration may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL tree (e.g., /oidc/token correponds with https://idp.example.org/idp/profile/oidc/token).

By default, the map is not defined and thus Spring doesn’t provide any CORS handling.

Alternatively in V5.2+, you may define a global bean named shibboleth.CorsConfigurationSource that implements the org.springframework.web.cors.CorsConfigurationSource interface yourself to completely override the source of the information.

The following example contains an example that activates the Spring CORS handling for the OP plugin’s token -endpoint:

This enables the CORS pre-flight request handling from two example origins, when the HTTP request header Access-Control-Request-Method is set to POST.

Debugging

The debug-logging of the Spring class org.springframework.web.cors.DefaultCorsProcessor is useful for debugging why the pre-flight requests may fail.

Some examples of log-lines when the pre-flight request has not been compatible with the shibboleth.CorsConfiguration: