Hi Vassillis is right. You can configure CORS filter in a way that it will only allow requests from whitelisted domains instead of all (by using wild card *).
This filter allows such config: http://software.dzhuvinov.com/cors-filter-configuration.html You can just specify cors.allowOrigin parameter in web.xml to a list of your client side domains. Remember that CORS applies only in browsers. If you make requests from code say Java (using HttpURLConnection) they are not needed. So your concern about security is invalid. If somebody will want to make requests to your rest service he will be able to do that from any place. One side note. If you test your service make sure to use sth different than 'localhost' in url to rest service (ip and proper host name should work). At least chrome has issues with that when making CORS requests: http://stackoverflow.com/questions/10883211/deadly-cors-when-http-localhost-is-the-origin Greg On Tuesday, June 23, 2015 at 2:45:44 PM UTC+2, Vassilis Virvilis wrote: > > About CORS: > You don't need to add anything to your REST headers. Tomcat can handle it > for you assuming that the url of the gwt application is known to the the > tomcat serving the REST backend. See > https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter > > Vassilis > > On Tue, Jun 23, 2015 at 2:55 PM, Jens <[email protected] <javascript:>> > wrote: > >> Its because of same origin policy enforced by browsers and not because of >> cross site scripting (which is an attack). >> >> If you don't want to make your REST service JSONP compatible and you >> don't want to use CORS headers then you must make sure that your GWT app >> can access the REST service through the same domain/origin that the GWT app >> is served from. Usually you can do that by configuring a reverse proxy on >> http://gwt-domain.com that redirects your GWT server requests from >> http://gwt-domain.com/api/* to http://rest-backend.com/* or similar. >> >> Such a proxy also gives you the freedom to move your backend to other >> locations without updating the GWT app itself. We use NGINX as such a proxy. >> >> The only other alternative is that the GWT app makes requests to a >> servlet running on the host that serves the GWT app and that servlet then >> makes a request to the REST backend. So that servlet then also acts as a >> proxy. For example you could install such a servlet on >> http://gwt-domain.com/api/* >> >> -- J. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google Web Toolkit" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at http://groups.google.com/group/google-web-toolkit. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Vassilis Virvilis > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
