Restricting allowed origins for CORS - SSO

By default support for CORS is enabled for the following features:

• CORS with credentials

  • RefreshServlet - uas/refresh

• CORS with authentication

  • TokenServlet - /uas/oauth2/token

  • UserInfoServlet - /uas/oauth2/userinfo

  • IntrospectionServlet - /uas/oauth2/introspection

  • TokenRevocationServlet - /uas/oauth2/revocation

By default it's configured so that it's allowed to be called from any origin. If you want to change this behavior so that it's either possible to call only from certain known origins, or not possible at all, follow the steps below.

• Find the web.xml file in the following path:

  • On Linux /usr/local/ubisecure/ubilogin/webapps/uas/WEB-INF/web.xml.

  • On Windows %PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\webapps\uas\WEB-INF\web.xml.

• Use a text-editor that supports UTF-8, such as notepad++ or vim. In Windows, notepad is not recommended as it will add the byte order mark (BOM), that may cause problems.

• Define the origins that are to be allowed in the param-value section of the param-name: cors.allowed.origins.

  • A valid origin consist of scheme, host and port, as described in RFC-6454.

  • The list is comma-separated.

  • Empty value or null means that it's not possible to call with CORS from any origin

Example of modified CorsFilter configuration in web.xml

• After updating web.xml, run the update command as follows:

  • On Linux: /usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat/update.sh

  • On Windows: %PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\update.cmd