http://www.w3.org/TR/cors/#access-control-allow-credentials-response-header true false (no authentication allowed for this request) The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header http://foo.example Access-Control-Allow-Origin header indicates whether resource can be shared by returning : Origin request header value "*" null Passing these 2 additional parameters for installations which mandate authentication (banks/financial-instutions/health-care-facilities) will allow those installations which mandate authentication to implement CORS Can we include these 2 parameters to widen CORS deployment base for banks? Martin Date: Thu, 16 Jul 2015 22:52:25 -0700 From: [email protected] To: [email protected] Subject: Re: CORS Supprt in Axis2 Looks good to me. Deepal Hi Devs, I thought of giving some insight to the approach and the design, so that I can have your valuable feedback. Following configuration should be added to the axis2.xml <CORSConfig enabled="true"> <Access-Control-Allow-Headers>content-type,soapaction,x-requested-with</Access-Control-Allow-Headers> <Access-Control-Allow-Methods>GET,POST,PUT,DELETE,OPTIONS</Access-Control-Allow-Methods> <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin> <Access-Control-Expose-Headers>header1,header2</Access-Control-Expose-Headers> <Access-Control-Allow-Credentials enabled="false"/> <Access-Control-Max-Age>500</Access-Control-Max-Age> </CORSConfig> Classes ------------------------ CorsConfig Using those configuration CorsConfig is created and can be retrieved through AxisConfiguration. CORSProcesser This class is implemented according to the section 6 of the CORS spec. Currently CORS Processor in engaged in the AxisHttpService handle request method. As per Sagara's mail, I will work on adding this to servlet transport later if(corsConfig.isEnabled()){ //CORS is enabled by the configs corsProcessor.process(axisreq,axisres); } Thanks, Asanka On Thu, Jul 16, 2015 at 10:30 PM, Asanka Dissanayake <[email protected]> wrote: Hi Devs, I thought of giving some insight to the approach and the design, so that I can have your valuable feedback. Following configuration should be added to the axis2.xml On Thu, Jul 16, 2015 at 1:44 AM, Deepal jayasinghe <[email protected]> wrote: Done. Deepal Hi Devs, Can some one assign me the issue https://issues.apache.org/jira/browse/AXIS2-5708. I cannot assign it to myself. Seems I don't have enough permissions. Thanks, Asanka On Sun, Jul 12, 2015 at 8:57 PM, Asanka Dissanayake <[email protected]> wrote: Hi Devs, What is the best place to implement this. IMHO I think following place is suitable. org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(final AxisHttpConnection conn, final HttpContext context) throws IOException, HttpException Thanks, Asanka D On Sat, Jul 11, 2015 at 3:18 PM, Asanka Dissanayake <[email protected]> wrote: Yes, agreed. I will start implementation with axis2 http transport . Thanks, Asanka D On Saturday, July 11, 2015, Hiranya Jayathilaka <[email protected]> wrote: On Jul 10, 2015, at 6:50 PM, Asanka Dissanayake <[email protected]> wrote: Hi Devs, How about implementing this as an Axis2 module. That will allow user to have the feature if user prefers. And we can re-use it for synapse as well. I read about this technology a little bit. My preference is for implementing it in the HTTP transport. This really is a HTTP-specific feature, and I don't see a reason why it should be implemented outside the transport. Unfortunately, however, this means we have to re-implement it for Synapse. Thanks, Hiranya Thanks, Asanka On Fri, Jul 10, 2015 at 12:46 AM, Hiranya Jayathilaka <[email protected]> wrote: This might be a useful feature addition to Synapse as well. When you're done with the Axis2 implementation, perhaps you can take a look at the Synapse pass-thru transport as well. Thanks, Hiranya On Jul 9, 2015, at 5:27 AM, T. Allen <[email protected]> wrote: +1 for adding CORS support. On 7/8/2015 8:13 PM, Asanka Dissanayake wrote: Hi Devs, I recently happened to call a Axis2Service with AJAX post method. Then there was an "Access-Control-Allow-Origin Error". When I was digging through the path, I came to know about CORS (Cross Origin Resource Sharing) spec [1] . User agents commonly apply same-origin restrictions to network requests. These restrictions prevent a client-side Web application running from one origin from obtaining data retrieved from another origin, and also limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin. To overcome this issue , I implemented an axis2 handler which the implementation is very specific to my use case. It handles the preflight request. In Axis2 , have we implemented CORS Spec? If not what about providing CORS support with Axis2? Since I already have the implementation, I can make it more generic and add to Axis2. [1] http://www.w3.org/TR/cors/ Thanks, Asanka --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] -- Hiranya Jayathilaka Mayhem Lab/RACE Lab; Dept. of Computer Science, UCSB; http://cs.ucsb.edu E-mail: [email protected]; Mobile: +1 (805) 895-7443 Blog: http://techfeast-hiranya.blogspot.com -- Hiranya Jayathilaka Mayhem Lab/RACE Lab; Dept. of Computer Science, UCSB; http://cs.ucsb.edu E-mail: [email protected]; Mobile: +1 (805) 895-7443 Blog: http://techfeast-hiranya.blogspot.com
