Configuring CORS

This tutorial describes how to configure cross-origin resource sharing for CAS access manager.

Same-origin policy

Same-origin policy (SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name and port number. The policy prevents a malicious script on one page from obtaining access to sensitive data on another web page.

Cross-origin resource sharing

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. CORS allows us to relax the principles of the Same-origin policy (SOP).

CORS example configuration

  1. First we need to change CAS properties. Create following file called 003_cors.properties in the /data/volumes/cas/cas.properties.d/ directory.

    cas.http-web-request.cors.enabled=true
cas.http-web-request.cors.allow-methods[0]=GET
cas.http-web-request.cors.allow-methods[1]=PUT
cas.http-web-request.cors.allow-methods[2]=POST
cas.http-web-request.cors.allow-headers[0]=*
cas.http-web-request.cors.allow-credentials=true
cas.http-web-request.cors.allow-origin-patterns[0]=https://*.demo.com
cas.http-web-request.cors.allow-origin-patterns[1]=https://example.cz
cas.http-web-request.cors.allow-origin-patterns[2]=http://*.example.com:8080

  2. Then restart CAS service

    systemctl restart iam-cas
Table 1. Parameter definitions.
Parameter Value

cas.http-web-request.cors.enabled

true/false

Whether CORS should be enabled for HTTP requests.

Default is false.

cas.http-web-request.cors.allow-methods[0]

GET, POST, HEAD, PUT, DELETE, CONNECT, OPTIONS, TRACE or * .

The Access-Control-Allow-Methods header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request (HTTP OPTIONS request to a resource URI). Default is everything \*.

The parameter is an array.

cas.http-web-request.cors.allow-headers[0]

name of HTTP header or *

The Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request.

Default is everything *. The parameter is an array.

cas.http-web-request.cors.allow-credentials

true/false

The Access-Control-Allow-Credentials header indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.

Default is true.

cas.http-web-request.cors.allow-origin-patterns[0]

pattern

Origin patterns to allow. Unlike allowed origins which only supports *, origin patterns are more flexible (for example https://\*.example.com) and can be used when credentials are allowed. When no allowed origin patterns or allowed origins are set, CORS support is disabled.

The parameter is an array.
Array elements are numbered (starting at 0).

How to test CORS settings

You can use curl tool to test your configuration.

  1. Invoke the cross-origin request. Adjust values to your deployment.

    curl -sik -XPOST -H 'Origin: http://testjs.example.com:8080' "https://iam-appliance.tld/cas/login" | head -n 25

    • A case where CORS blocked the response

      HTTP/1.1 403
Server: nginx/1.20.2
Date: Fri, 08 Sep 2023 11:52:44 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=75
requestId: 2a5f2de3-349f-47e5-b463-c9e8e7cb1995
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers

Invalid CORS request

    • A case where CORS allowed the response

      HTTP/1.1 200
Server: nginx/1.20.2
Date: Fri, 08 Sep 2023 11:52:49 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=75
Vary: Accept-Encoding
requestId: 08ea67b4-0bbe-4c13-a8bb-3d96c4df78b7
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://testjs.example.com:8080
Access-Control-Allow-Credentials: true
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Set-Cookie: org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=en; Path=/; Secure; HttpOnly
Set-Cookie: TGC=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas; Secure; HttpOnly
Content-Language: en
Strict-Transport-Security: max-age=31536000; includeSubdomains