12.7. CORS Support
Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request. CORS helps you to keep your resources protect and allow access in a more secure manner.
PicketLink provides a very easy way to configure CORS to your protected resources. CORS can be configured for each protected path (or path group) of your application, as follows:
SecurityConfigurationBuilder builder = event.getBuilder(); builder.http().forPath("/corsAuthorization") .cors() .allowOrigins("http://www.example.org:9000", "http://www.example.com:8008") .allowMethods("GET", "PUT", "POST", "DELETE", "OPTIONS") .allowHeaders("Origin", "X-Requested-With", "Content-Type", "Accept", "Authorization") .exposedHeaders("Origin", "Accept") .allowCredentials(true) .maxAge(3600);
Different configuration options are supported. You can specify methods, headers, specific origins or domains and so forth. There are also some convenience methods if you want to allow any kind of request to your protected resources:
SecurityConfigurationBuilder builder = event.getBuilder(); builder.http() .forPath("/cors/protected") .cors() .allowAll()