WSO2 API Manager CORS

5
votes

I'd like to enable CORS on my WSO2 API Manager instance for all endpoints. I've been through the documentation (which is great) and it suggests altering the repository/conf/api-manager.xml file as there is a CORS configuration node within it (below). 

<!--Configuration to enable/disable sending CORS headers in the Gateway response
    and define the Access-Control-Allow-Origin header value.-->
<CORSConfiguration>

    <!--Configuration to enable/disable sending CORS headers from the Gateway-->
    <Enabled>true</Enabled>

    <!--The value of the Access-Control-Allow-Origin header. Default values are
        API Store addresses, which is needed for swagger to function.-->
    <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

    <!--Configure Access-Control-Allow-Methods-->
    <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

    <!--Configure Access-Control-Allow-Headers-->
    <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type</Access-Control-Allow-Headers>

<!--Configure Access-Control-Allow-Credentials-->
<!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
     It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*)
-->
<Access-Control-Allow-Credentials>true</Access-Control-Allow-Credentials>

</CORSConfiguration>

This file doesn't seem to apply this CORS configuration to all endpoints though. I receive the correct Access Control headers when making requests to API endpoints that I've published but I don't receive them when I hit the token endpoints (default - '/token', '/revoke').

How am I able to achieve this?

2
wso2corswso2-am

2 Answers

13
votes

CORS configurations are valid for the APIs created using the Publisher applications. The token apis (- '/token', '/revoke') are not covered from this configurations.

CORS headers are handled using a handler 

org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler

If you open a synapse configuration for an api in /repository/deployment/server/synapse-configs/default/api you would find this handler.

You can set this handler to the RevokeAPI.xml and TokenAPI.xml as well. (these are in the same location /repository/deployment/server/synapse-configs/default/api). It would be something like this in the configuration file

 <handlers>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
     <property name="apiImplementationType" value="ENDPOINT"/>
    </handler>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.common.SynapsePropertiesHandler"/>
</handlers>
3
votes

The CORS configuration in the api-manager.xml will be only applied for the APIs created through the API Manager. It will not apply those configurations to Token APIs such as /token and /revoke.

The token API related configurations are located in {PRODUCT_HOME}/repository/deployment/server/synapse-configs/default/api directory.

You can edit the _TokenAPI_.xml and add CORS headers if you needed. You may refer[1] as useful resource.

[1] - http://blog.lakmali.com/2013/10/how-to-add-additional-headers-to-wso2.html