Configuring Cross Origin Resource Sharing on a Liberty server


You can enable Cross Origin Resource Sharing (CORS) for your web applications on a Liberty server.

Enabling CORS will allow JavaScript clients to make requests against your application on the Liberty server even if the client and the server are on two different domains. Web browsers prevent these requests due to same-origin policy.

I create the following configuration on my local machine  on server.xml file:

<cors domain="/ApplicationContext" <-- application context. It will work only for this app.
   allowedOrigins="http://localhost:8080"  <-- this is my local Node.js Server.
   allowedMethods="GET, HEAD, POST, PUT"
   allowedHeaders="Referer, Cache-Control, Pragma, Accept, Accept-Language, Accept-Encoding, Accept-Charset, Content-Type, Content-Length, User-Agent, Authorization, passwd, X-Update-Nonce, X-Shindig-ST, X-IC-CRE-Request-Origin, X-IC-CRE-User, X-LConn-Auth, Accept*, Content*, Access-Control-Allow-Origin*"
exposeHeaders="Content-Type, Last-Modified, etag"
allowCredentials="true" maxAge="3600" />

  • Little caveat (I found out the hard way): “allowedOrigins” suggests that you could specify multiple origins. You can’t. This isn’t a Websphere limitation, but a browser behavior. So when your site needs to serve more than one origin, you need to send that header from your code (after reading where the request came from).