JR55289 adds support for configuring cross-origin resource sharing (CORS) headers and
X-Frame-Options header with a servlet filter.
Before you begin
Install the interim fix for JR55289.For information about
how to install an interim fix, see
About this task
The HttpSecurityFilter servlet filter is added to support the configuration of CORS-related
headers to be included in the HTTP response. In addition, the filter supports the configuration of
clickjacking protection by using the X-Frame-Options header to be included in the
HTTP response. You can configure the filter by extending the component configuration file
(wc-component.xml).
The CORS configuration supports the whitelisting of multiple domains. However, the configuration
of the CORS-related headers applies to all whitelisted domains. The HttpSecurityFilter supports the
CORS response headers defined in the CORS specification:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
For more information about cross-origin resource sharing (CORS), see
Cross-Origin Resource Sharing or
the HTML5 tutorial
Using CORS.
For more information about X-Frame-Options header, see Mozilla Developer Network (MDN) documentation.
Procedure
-
Open WebSphere
Commerce Developer and switch to the Enterprise Explorer view.
-
To enable the HttpSecurityFilter, add the servlet filter configuration and mapping to the
web.xml of the module whose resources you want use the filter.
For example, to add the servlet filter to the WebSphere Commerce REST servlet:
-
Open the REST.war/WEB-INF/web.xml file.
-
Add the following code snippet to the file:
<filter>
<filter-name>HttpSecurityFilter</filter-name>
<filter-class>com.ibm.commerce.foundation.server.services.servlet.filter.HttpSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>HttpSecurityFilter</filter-name>
<servlet-name>JAX-RS Servlet</servlet-name>
</filter-mapping>
-
Create a custom foundation component configuration file
(wc-component.xml), if one does not exist.
For more information about how to create a custom configuration file, see
Changing properties in the
component configuration file.
Note:
- The default component configuration file for the foundation
component is
WCDE_installdir/workspace/WC/xml/config/com.ibm.commerce.foundation/wc-component.xml
- The custom component configuration file for the foundation component
should be
WCDE_installdir/workspace/WC/xml/config/com.ibm.commerce.foundation-ext/wc-component.xml
To
change the value of an existing property in a WebSphere Commerce component configuration file, you
must create a customized version of the file in this location. The customized version of the file
must contain only the changed properties. If this folder exists and contains a customized version of
the wc-component.xml file, then open the file and skip to step 4.
-
Configure CORS response headers by adding the corresponding properties to your extended
wc-component.xml file.
The following properties are available for you to define:
- (Required) CORSAccessControlAllowOrigin
- List of allowed host domains. Use comma-separated values
(protocol://host_name:[port]),
where the port number is optional. The
CORSAccessControlAllowOrigin property can accept a single value of wildcard
(
*) to permit access for any origin.Note: Do not use wildcards (*)
in production environments.
- CORSAccessControlAllowMethods
- The HTTP methods allowed for access (comma-separated values). Returned in the response to a
preflight request.
- CORSAccessControlAllowCredentials
- Whether the browser is allowed to send credentials to the server (true | false). Default is
false.
- CORSAccessControlAllowHeaders
- The HTTP headers of allowed request headers (comma-separated values). Returned in response to a
preflight request.
- CORSAccessControlExposeHeaders
- The HTTP headers that can be accessed by a browser (comma-separated values).
- CORSAccessControlMaxAge
- The time (in seconds) the results of preflight request will be cached in a preflight results
cache.
The configuration is applied on a per web module basis. The target web module is determined
by appending the display name of the web module's
web.xml file to the
configgrouping name. For example, by naming one
configgroupping
"
HttpSecuritySettings_Rest" and another
configgrouping
"
HttpSecuritySettings_Store", different values can be configured for the REST
servlet and the Store servlet, respectively.
You can use the following code snippet as an
example:
<_config:configgrouping name="HttpSecuritySettings_Rest">
<_config:property name="CORSAccessControlAllowOrigin" value="http://www.mydomain.com,https://www.mydomain.com,https://www.mydomain.com:9551"/>
<_config:property name="CORSAccessControlAllowMethods" value="GET, HEAD, POST, OPTIONS, PUT, DELETE"/>
<_config:property name="CORSAccessControlAllowCredentials" value="true"/>
<_config:property name="CORSAccessControlAllowHeaders" value="Origin,X-Requested-With,Content-Type,Accept,Authorization,cache-control,expires,pragma,wclogonid,wctoken,wctrustedtoken,wcuserid"/>
<_config:property name="CORSAccessControlMaxAge" value="3600"/>
</_config:configgrouping>
-
Save and close the extended configuration file.
-
Test your configuration changes.
-
Deploy your changes to the production environment.
What to do next
If you want to configure clickjacking protection by using the
X-Frame-Options header, add the corresponding property to your extended
wc-component.xml file. The X-Frame-Options properties accept an explicit
true or false value. A value of true appends the X-Frame-Options
with a value of DENY or SAMEORIGIN, depending on the property. The following names are possible
property names:
- EnableXFrameOptionsDeny
- EnableXFrameOptionsSameOrigin
For example, to configure the X-Frame-Options response header for the REST servlet where the
value is set to SAMEORIGIN, add the following code snippet to the
file:<_config:configgrouping name="HttpSecuritySettings_REST">
<_config:property name="EnableXFrameOptionsSameOrigin" value="true"/>
</_config:configgrouping>