Adobe Experience Manager Sites & More

TB3dock · 5/5/21

We have a serlvet which serves json to the front end which uses a fixed path, eg. /bin/myapi/somecall.

This works if you are calling it from the same host and port, but fails from anything else. E.g. devs hitting a local author from react from 3000 instead of 4502

The "understanding cors" page hints that you can configure this with XML which starts with <jcr:root xmlns:sling=...

The question is, where in our source code should these XML files live, and what should they be called?

There is a section in the http://localhost:4502/system/console/configMgr for "com.adobe.granite.cors.impl.CORSPolicyImpl.d5e5ad16-601e-4215-8bad-15f4980b7722" but this is not editable for some devs (i.e. save doesn't save).

Can Cors be configured with json osgi configs? If so, how does one know what number to put on the end for new ones? Is there an example of this anywhere?

markus_bulla_adobe · 5/5/21

Hi @TB3dock!

The required CORS configurations should be done as OSGI configurations on the "Adobe Granite Cross Origin Resource Sharing Policy" as pointed out in the documentation that you already mentioned. OSGI configurations are a common pattern in the AEM tech stack and you will find some additional explanations in some of your older threads on OSGI config topics. You should place an according OSGI config file (either XML or JSON format) in your code base, specifically into the ui.config module (if your project follows the AEM Maven archetype structure).

Please also refer to the following tutorial covering exactly your use case (as far as I understand your query):

https://experienceleague.adobe.com/docs/experience-manager-learn/foundation/security/develop-for-cro...

Regarding your specific questions:

Where in our source code should these XML files live? ==> ui.config/src/main/content/jcr_root/apps/mysite/config/ - will be mapped to /apps/mysite/config/ inside the repository)
What should they be called? ==> com.adobe.granite.cors.impl.CORSPolicyImpl-myproject.cfg.json - reflecting the CORS policy services PID aka fully qulified class name. It needs to be appended with a custom identifier (in my example: "-myproject") because it is a factory configuration and it is possible to deploy multiple instances for this specific service. Instead of the JSON format you could also use the XML format references in the above mentioned documentation.
Can CORS be configured with json osgi configs? ==> As stated above: yes, you can use either the XML or the JSON format for OSGI configurations.
How does one know what number to put on the end for new ones? ==> As mentioned above: this is a unique identifier for this configuration. You can choose whatever you want, e. g. a string that reflects the configs purpose or your project (in my example: "-myproject"). The suffix is not limited to numbers.

Hope that helps!

View solution in original post

Asutosh_Jena_ · 5/5/21

Hi @TB3dock

Here the exmaples are provided with XML. But if you want to use in AEM as Cloud, you can use the same as JSON and it can be stored under the osgi config folder where you kept all other OSGi configurations.

You need to add the your localhost:3000 to your allowedorigin property and it will allow you to make calls.

Thanks

TB3dock · 5/5/21

what should the osgi file be called? the UI based ones seem to have a random number at the end.

Asutosh_Jena_ · 5/5/21

Hi @TB3dock

You can use something like below. Wherever we see some random number that is considered as a factory config.

com.adobe.granite.cors.impl.CORSPolicyImpl~yourproject.cfg.json

and the content can be:

{
  "supportscredentials":true,
  "exposedheaders":[
    ""
  ],
  "supportedmethods":[
    "GET",
    "HEAD",
    "POST"
  ],
  "alloworigin":[
    ""
  ],
  "maxage:Integer":1800,
  "alloworiginregexp":[
    "http://localhost:.*"
  ],
  "allowedpaths":[
    ".*"
  ],
  "supportedheaders":[
    "Origin",
    "Accept",
    "X-Requested-With",
    "Content-Type",
    "Access-Control-Request-Method",
    "Access-Control-Request-Headers",
    "authorization"
  ]
}

Ritesh_Mittal · 5/5/21

@TB3dock ,

Just to confirm if you are really getting CORS error or Authentication error, since localhost:4502 is generally considered as author instance which requires authentication, so if you want to call any servlet which requires authentication then you need to set authorization header while calling the servlet/API.

Other then this question, resource type based servlets are more preferable than path based ones because of security, dispatcher allow config, etc

markus_bulla_adobe · 5/5/21

Hi @TB3dock!

The required CORS configurations should be done as OSGI configurations on the "Adobe Granite Cross Origin Resource Sharing Policy" as pointed out in the documentation that you already mentioned. OSGI configurations are a common pattern in the AEM tech stack and you will find some additional explanations in some of your older threads on OSGI config topics. You should place an according OSGI config file (either XML or JSON format) in your code base, specifically into the ui.config module (if your project follows the AEM Maven archetype structure).

Please also refer to the following tutorial covering exactly your use case (as far as I understand your query):

https://experienceleague.adobe.com/docs/experience-manager-learn/foundation/security/develop-for-cro...

Regarding your specific questions:

Where in our source code should these XML files live? ==> ui.config/src/main/content/jcr_root/apps/mysite/config/ - will be mapped to /apps/mysite/config/ inside the repository)
What should they be called? ==> com.adobe.granite.cors.impl.CORSPolicyImpl-myproject.cfg.json - reflecting the CORS policy services PID aka fully qulified class name. It needs to be appended with a custom identifier (in my example: "-myproject") because it is a factory configuration and it is possible to deploy multiple instances for this specific service. Instead of the JSON format you could also use the XML format references in the above mentioned documentation.
Can CORS be configured with json osgi configs? ==> As stated above: yes, you can use either the XML or the JSON format for OSGI configurations.
How does one know what number to put on the end for new ones? ==> As mentioned above: this is a unique identifier for this configuration. You can choose whatever you want, e. g. a string that reflects the configs purpose or your project (in my example: "-myproject"). The suffix is not limited to numbers.

Hope that helps!

TB3dock · 5/6/21

Thanks for the reply. I tried creating the following file: /myapp-web.ui.config/src/main/content/jcr_root/apps/eyas-web/osgiconfig/config.author.dev/com.adobe.granite.cors.impl.CORSPolicyImpl-myapp.cfg.json with the following content:

{
  "alloworigin":["*"],
  "alloworiginregexp":[],
  "allowedpaths":[".*"],
  "exposedheaders":[""],
  "maxage":1800,
  "supportedheaders":["*"],
  "supportedmethods":["GET","POST"],
  "supportedcredentials":"true"
}

When I build with the usual mvn clean install -PautoInstallSinglePackage, this config seems to be ignored: when I look in http://localhost:4502/system/console/configMgr its not there.

Any ideas? Are we sure it should be a minus sign between the PID and my app name?

I tried with a . instead of -, and I also tried putting the file in the global /config. Neither helped unfortunately.