Re: How to enable CORS on Fuseki2

Sat, 22 Aug 2015 02:38:08 -0700 

Colin - caveats noted!
I'm in a similar position to you - I've only had to make CORS work, not architect for all cases, which is why I'm throwing this out on users@ in the hope of building a proper picture. 

        Andy

On 21/08/15 22:04, Colin Maudry wrote:

Hi Andy,

I'm not knowledgeable enough with CORS to advise whether the
configuration I shared should be shipped with all Fuseki2 downloads,
applying to all URLs. There might be security caveats.

If I cared about security, I would align the URL patterns allowed for
CORS with those I configured in shiro.ini, those that are public: what
is public in shiro.ini should be allowed for CORS, to enable fellow
developers to use my endpoint for their Web apps.

In any case, I think adding a section in Fuseki2 documentation showing
how to get CORS working (bases on the configuration I suggested) would
be a good step forward, and may bring more people in the discussion.

There would be a warning making clear that the default configuration may
not be fit for production.

I hope I gave a beginning of answer to your question :)

Colin
@CMaudry



On 21/08/2015 21:14, Andy Seaborne wrote:

To push this forward, here's a JIRA proposing to add the setup Colin
gives:

https://issues.apache.org/jira/browse/JENA-1014

Question: should this be in Fuseki when running as a war file in
Tomcat etc?  I think the answer is "yes".

Next question: Should this be added to all responses? HTML pages, /$/
admin operations and dataset services?  For the usual use cases, it
seems it should but is that always true?

If this is the way to go, to produce a jetty-independent version for
the war file, then taking a clone of jetty's CrossOriginFilter is
needed - fortunately, that file explicitly syas it is dual licensed,
Eclipse and Apache.

     Andy

On 19/07/15 18:39, Andy Seaborne wrote:

Hi Colin,

Thank you very much for writing this up.

      Andy

On 15/07/15 18:24, Colin Maudry wrote:

Hello people,

I did follow the instructions in the Jetty documentation, but that was
not very helpful, as it's very succint.

After experimenting, I realized that we have to be quite explicit in
our
configuration.

So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI
instance, doing this:

https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221

For the lazy ones:

1. Open |webapp/WEB-INF/web.xml
2. Insert the following snipped before any other <filter>
|

          <!-- CORS filter-->

      <filter>
          <filter-name>cross-origin</filter-name>

<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>

          <init-param>
              <param-name>allowedOrigins</param-name>
              <param-value>*</param-value>
          </init-param>
          <init-param>
              <param-name>allowedMethods</param-name>

<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
          </init-param>
          <init-param>
              <param-name>allowedHeaders</param-name>
              <param-value>Accept, Origin, X-Requested-With,
Content-Type, Last-Modified, Authorization</param-value>
          </init-param>
          <init-param>
              <param-name>exposedHeaders</param-name>

<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>


          </init-param>
      </filter>
      <filter-mapping>
          <filter-name>cross-origin</filter-name>
          <url-pattern>/*</url-pattern>
      </filter-mapping>

3. Configure to your taste, but it works as-is. The key, compared to
what the documentation says,
is that you should configure the servers to return certain headers
that indicate CORS is enabled.

Cheers,
Colin


On 02/06/15 17:52, Jeffrey Witt wrote:

Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying
the enabled *CORS* support, especially important for javascript only,
single page apps.

But, as I¹ve gleaned from this post:DISTINCT
https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by
default for Fueski2. I wonder if it is now possible to enable *CORS*
for
Fueski2. If so could someone guide me through the enabling process.

(I have little to no experience with writing in Java, so I might need
detailed instructions).

Thanks in advance. jw

Hi there,

You'r right - *CORS* is not enabled in Fuseki2. It would eb re

if you are deploying Fuseki2 with the standalone server jar
(fuseki-server.jar), not the WAR file, you can follow the instructions
for Jetty [1] to enable it (no Java required, editing web.xml is
required).

The web.xml file is in webapp/WEB-INF/web.xml of what usually
FUSEKI_HOME

The war file can also be done - it needs unpacking, changing web.xml
and
repacking.

----------- There's machinery in Fuseki2 for this (and a request
routing
problem - now being fixed).

What would help me is someone with experience to advise what the
headers
should be for the various options and especially whether one choice of
settings is good for everyone or whether this needs configuration in
some way. Even if the latter, what is the best out-of-the-box settings?

If it is one universal set of settings, is better (safe) to do in
Fuseki2 or, for example when running in Tomcat, should Tomcat do it?

Andy

[1]
http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html



































					Reply via email to