Try OpenEdge Now
skip to main content
REST Administration : REST Management Agent and REST Web Application Security Configurations : Working with security configurations : Extending CORS support : Customizing CORS support
Customizing CORS support
To customize CORS support:
1. Identify and open the security configuration you applied to your REST Web application.
Your REST Web application's security configuration is based on your performing the instructions in Choosing and applying a security configuration.
2. In the security configuration file, appSecurity-XXX.xml, uncomment only the required properties in the OECORSFilter bean code snippet to enable CORS support.
Typically, you uncomment the allowAll property and set it to false to ensure that all HTTP clients make CORS requests by sending an Origin header.
Uncomment the allowDomains property to limit CORS access to only certain HTTP clients. And, uncomment and use messageHeaders and responseHeaders properties if the HTTP clients require sending/receiving headers not contained in the defaults.
You typically uncomment only the allowAll and allowDomains properties to customize CORS support.
Progress Software recommends that you uncomment only the properties you need to set; otherwise, let the default settings be applied to the properties.
If you uncomment all the CORS properties, the OECORSFilter bean code snippet looks similar to the following:
<b:bean id="OECORSFilter"
class="" >
         <b:property name="allowAll" value="false" />
<b:property name="allowDomains" value="*" />
<b:property name="allowSubdomains" value="false" />
<b:property name="allowMethods" value="GET,PUT,POST,DELETE" />
         <b:property name="messageHeaders" value="Accept,
             Accept-Language, Content-Language, Content-Type,
             X-CLIENT-CONTEXT-ID, Origin, Pragma, Cache-Control
             Access-Control-Request-Method" />
<b:property name="responseHeaders" value="Cache-Control,
             Content-Language, Content-Type, Expires,
             X-CLIENT-CONTEXT-ID" />
<b:property name="supportCredentials" value="true" />
<b:property name="maxAge" value="-1" />
3. After uncommenting the required properties from the OECORSFilter bean code snippet, for each of the properties, such as allowAll and allowDomains, you must update the value attribute. For information about the OECORSFilter properties, see OECORSFilter properties.
4. Save the security configuration file, appSecurity-XXX.xml.
Note: You must restart the Web server for the above security configuration updates to take effect.