Restricting allowed origins for CORS - SSO
By default support for CORS is enabled for the following features:
CORS with credentials
RefreshServlet-uas/refresh
CORS with authentication
TokenServlet-/uas/oauth2/tokenUserInfoServlet-/uas/oauth2/userinfoIntrospectionServlet-/uas/oauth2/introspectionTokenRevocationServlet-/uas/oauth2/revocation
By default it's configured so that it's allowed to be called from any origin. If you want to change this behavior so that it's either possible to call only from certain known origins, or not possible at all, follow the steps below.
Find the
web.xmlfile in the following path:On Linux
/usr/local/ubisecure/ubilogin/webapps/uas/WEB-INF/web.xml.On Windows
%PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\webapps\uas\WEB-INF\web.xml.
Use a text-editor that supports UTF-8, such as notepad++ or vim. In Windows, notepad is not recommended as it will add the byte order mark (BOM), that may cause problems.
Define the origins that are to be allowed in the
param-valuesection of theparam-name:cors.allowed.origins.A valid origin consist of scheme, host and port, as described in RFC-6454.
The list is comma-separated.
Empty value or null means that it's not possible to call with CORS from any origin
Example of modified CorsFilter configuration in web.xml
<filter>
<filter-name>CorsFilter#enabled-with-credentials</filter-name>
<filter-class>com.ubisecure.util.filter.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>https://www.example.com, https://mail.example.com:8080</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
</filter>
After updating web.xml, run the update command as follows:
On Linux:
/usr/local/ubisecure/ubilogin-sso/ubilogin/config/tomcat/update.shOn Windows:
%PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\config\tomcat\update.cmd