Jump to content
We've recently updated our Privacy Statement, available here ×

  • CORS configuration for JRS 7.5.1 and earlier versions

    kkumlien

    By kkumlien

      • Features: JasperReports Server Version: v7.5, v7.5.1, v7.5.0 Product: JasperReports® Server
     Share

    Please see this recorded Dr Jaspersoft webinar for a live demo (although mostly focused on 7.8.0 and later versions):

    In this article we present a sample configuration for Cross-Origin Resource Sharing in JasperReports Server version 7.5.1 and earlier versions. In 7.5.1 and earlier versions, this configuration is different and separate from the domainWhitelist mechanism, which is still required for the Visualize.js API.

    For 7.8.0 and later versions, please follow the instructions in CORS for Visualize.js. as in those versions the configuration of the two is merged together in the domainWhitelist mechanism.

    Assuming there is no CORS-specific configuration in your Tomcat (or other app server) web.xml file, below you can find a sample config for JRS' specific apache-tomcat/webapps/jasperserver-pro/WEB-INF/web.xml.

    Please note

    • the location / sorting of the beans is important, follow the example below to avoid issues
    • the values in this sample configuration are copied from the applicationContext-security-pro-web.xml file of a vanilla 7.8.0 configuration, yours may vary depending on your specific requirements
    • the sample below is based on a vanilla 7.5.1 configuration, yours may be different if it's a different version or you have previously modified the file
    • it is not recommended to set cors.allowed.origins to * (any origin), especially in a production environment, rather set it to empty / blank if no access is required from any external origins – this is the same as not having a CORS filter at all defined in your configuration, which prompts browsers to stick to the default restrictive behaviour
    • if cors.support.credentials is set to true (as recommended) you will not be able to set cors.allowed.origins to * (the application will not start)

    Instructions

    Comment out the existing filter (around line 209) and add one based on the standard Catalina class. Review the Tomcat syntax documentation for details.

    Replace the cors.allowed.origins values below with the actual origin(s) as required in your application architecture.

      <!--filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>com.jaspersoft.jasperserver.api.security.csrf.CorsFilter</filter-class>
  </filter-->
  <filter>
   <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>https://www.example.com, https://www.example.net</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description</param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value></param-value>
    </init-param>
    <init-param>
      <param-name>cors.support.credentials</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>300</param-value>
    </init-param>
  </filter>

    Then (around line 358) add a filter-mapping for CorsFilter, after CrossDomainFilter and before the other existing CorsFilter mappings specific to fonts.

      <filter-mapping>
    <filter-name>CrossDomainFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>*.woff</url-pattern>
  </filter-mapping>

    As usual, please restart the app server after making these changes. E.g. for macOS:

    /Applications/jasperreports-server-7.5.1/ctlscript.sh restart tomcat

    If the application doesn't start correctly, there are probably syntax errors or typos in the modified file(s).

    Test CORS requests via JavaScript

    A simple way to test your CORS configuration is to use JSFiddle, see for example:

    https://jsfiddle.net/kkumlien/4Lx15mqe/2/

    Before you allow the JSFiddle domain origin in the configuration, the request should fail and you should see something like this in the browser developer tools:

    cors_request_failed.png.e31ff92a99222ffa48924d2db14dfd5e.png

    After setting cors.allowed.origins to http://fiddle.jshell.net, https://fiddle.jshell.net, you s hould see something like:

    cors_request_successful.png.36f975890207d547c17f9d05b20b2588.png

    Please do not use the JSFiddle origins above in a production / public instance of JRS, but only in a development / test environment.

    Test CORS requests via cURL

    Please see the attached file CORS-cURL.txt for some sample tests you can do directly via the `curl` command.

    cors-curl.txt

     Share
    Go to entries

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore