WSO2 API Manager CORS

Question

I\'d like to enable CORS on my WSO2 API Manager instance for all endpoints. I\'ve been through the documentation (which is great) and it suggests altering the r

Answer 1

CORS configurations are valid for the APIs created using the Publisher applications. The token apis (- '/token', '/revoke') are not covered from this configurations.

CORS headers are handled using a handler

org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler

If you open a synapse configuration for an api in /repository/deployment/server/synapse-configs/default/api you would find this handler.

You can set this handler to the RevokeAPI.xml and TokenAPI.xml as well. (these are in the same location /repository/deployment/server/synapse-configs/default/api). It would be something like this in the configuration file

 <handlers>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler">
     <property name="apiImplementationType" value="ENDPOINT"/>
    </handler>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerCacheExtensionHandler"/>
    <handler class="org.wso2.carbon.apimgt.gateway.handlers.common.SynapsePropertiesHandler"/>
</handlers>

Answer 2

The CORS configuration in the api-manager.xml will be only applied for the APIs created through the API Manager. It will not apply those configurations to Token APIs such as /token and /revoke.

The token API related configurations are located in {PRODUCT_HOME}/repository/deployment/server/synapse-configs/default/api directory.

You can edit the _TokenAPI_.xml and add CORS headers if you needed. You may refer[1] as useful resource.

[1] - http://blog.lakmali.com/2013/10/how-to-add-additional-headers-to-wso2.html