nailton/cors.txt

## cors.txt
<!--filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>com.jaspersoft.jasperserver.api.security.csrf.CorsFilter</filter-class>
  </filter-->
  <filter>
   <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>https://www.example.com, https://www.example.net</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description</param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value></param-value>
    </init-param>
    <init-param>
      <param-name>cors.support.credentials</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>300</param-value>
    </init-param>

    <filter-mapping>
    <filter-name>CrossDomainFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>*.woff</url-pattern>
  </filter-mapping>


  ----

# Using http for both JRS and Origin

curl -i -X OPTIONS http://localhost:8080/jasperserver-pro/index.htm \
-H 'Access-Control-Request-Method: GET' \
-H 'Access-Control-Request-Headers: Content-Type, Accept' \
-H 'Origin: http://fiddle.jshell.net'

curl -i -X GET http://localhost:8080/jasperserver-pro/index.htm \
-H 'Origin: http://fiddle.jshell.net' \
--head

# CORS might *not* work on the j_spring_security_check endpoint if a (hot)fix for defect JS-61626 has not been applied
curl -i -X POST http://localhost:8080/jasperserver-pro/j_spring_security_check \
-H 'Origin: http://fiddle.jshell.net' \
--head


# Using httpS for both JRS and Origin

curl -i -X OPTIONS https://localhost/jasperserver-pro/index.htm \
-H 'Access-Control-Request-Method: GET' \
-H 'Access-Control-Request-Headers: Content-Type, Accept' \
-H 'Origin: https://fiddle.jshell.net'

curl -i -X GET https://localhost/jasperserver-pro/index.htm \
-H 'Origin: https://fiddle.jshell.net' \
| head -n 22

# CORS might *not* work on the j_spring_security_check endpoint if a (hot)fix for defect JS-61626 has not been applied
curl -i -X POST http://localhost/jasperserver-pro/j_spring_security_check \
-H 'Origin: https://fiddle.jshell.net' \
--head
	<!--filter>
	<filter-name>CorsFilter</filter-name>
	<filter-class>com.jaspersoft.jasperserver.api.security.csrf.CorsFilter</filter-class>
	</filter-->
	<filter>
	<filter-name>CorsFilter</filter-name>
	<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
	<init-param>
	<param-name>cors.allowed.origins</param-name>
	<param-value>https://www.example.com, https://www.example.net</param-value>
	</init-param>
	<init-param>
	<param-name>cors.allowed.methods</param-name>
	<param-value>GET,POST,HEAD,PUT,OPTIONS,DELETE,PATCH</param-value>
	</init-param>
	<init-param>
	<param-name>cors.allowed.headers</param-name>
	<param-value>Cache-Control,X-Suppress-Basic,Origin,Accept,X-Requested-With,Content-Type,Pragma,accept-timezone,withCredentials,X-Remote-Domain,X-Is-Visualize,x-jrs-base-url,Content-Disposition,Content-Description</param-value>
	</init-param>
	<init-param>
	<param-name>cors.exposed.headers</param-name>
	<param-value></param-value>
	</init-param>
	<init-param>
	<param-name>cors.support.credentials</param-name>
	<param-value>true</param-value>
	</init-param>
	<init-param>
	<param-name>cors.preflight.maxage</param-name>
	<param-value>300</param-value>
	</init-param>

	<filter-mapping>
	<filter-name>CrossDomainFilter</filter-name>
	<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
	<filter-name>CorsFilter</filter-name>
	<url-pattern>/*</url-pattern>
	</filter-mapping>
	<filter-mapping>
	<filter-name>CorsFilter</filter-name>
	<url-pattern>*.woff</url-pattern>
	</filter-mapping>


	----

	# Using http for both JRS and Origin

	curl -i -X OPTIONS http://localhost:8080/jasperserver-pro/index.htm \
	-H 'Access-Control-Request-Method: GET' \
	-H 'Access-Control-Request-Headers: Content-Type, Accept' \
	-H 'Origin: http://fiddle.jshell.net'

	curl -i -X GET http://localhost:8080/jasperserver-pro/index.htm \
	-H 'Origin: http://fiddle.jshell.net' \
	--head

	# CORS might not work on the j_spring_security_check endpoint if a (hot)fix for defect JS-61626 has not been applied
	curl -i -X POST http://localhost:8080/jasperserver-pro/j_spring_security_check \
	-H 'Origin: http://fiddle.jshell.net' \
	--head


	# Using httpS for both JRS and Origin

	curl -i -X OPTIONS https://localhost/jasperserver-pro/index.htm \
	-H 'Access-Control-Request-Method: GET' \
	-H 'Access-Control-Request-Headers: Content-Type, Accept' \
	-H 'Origin: https://fiddle.jshell.net'

	curl -i -X GET https://localhost/jasperserver-pro/index.htm \
	-H 'Origin: https://fiddle.jshell.net' \
	\| head -n 22

	# CORS might not work on the j_spring_security_check endpoint if a (hot)fix for defect JS-61626 has not been applied
	curl -i -X POST http://localhost/jasperserver-pro/j_spring_security_check \
	-H 'Origin: https://fiddle.jshell.net' \
	--head