cancel
Showing results for 
Search instead for 
Did you mean: 

How to set http header

hardik_thakkar
Star Contributor
Star Contributor

Hi Team,

Application security team wants to allow only Get and Post method on any page.

For that i have tried below options:
1. Added CORS config in alfresco-global.properties file

cors.enabled=true
cors.allowed.methods=Get,Post

2. Enabled CORS config in web.xml (tomcat/webapps/alfresco/WEB-INF)

<!-- CORS Filter Begin -->
   <filter>
      <filter-name>CORS</filter-name>
      <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
      <init-param>
         <param-name>cors.allowGenericHttpRequests</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowOrigin</param-name>
         <!-- <param-value>http://localhost:8081</param-value> -->
		 <param-value>*</param-value>
      </init-param>
      <init-param>
         <param-name>cors.allowSubdomains</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedMethods</param-name>
         <param-value>GET, POST</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportedHeaders</param-name>
         <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-value>
      </init-param>
      <init-param>
         <param-name>cors.supportsCredentials</param-name>
         <param-value>true</param-value>
      </init-param>
      <init-param>
         <param-name>cors.maxAge</param-name>
         <param-value>3600</param-value>
      </init-param>
   </filter>
   <!-- CORS Filter End -->
   
   <!-- CORS Filter Mappings Begin -->
   <filter-mapping>
      <filter-name>CORS</filter-name>
      <url-pattern>/api/*</url-pattern>
      <url-pattern>/service/*</url-pattern>
      <url-pattern>/s/*</url-pattern>
      <url-pattern>/cmisbrowser/*</url-pattern>
   </filter-mapping>
   <!-- CORS Filter Mappings End -->

3. Added security constraint in web.xml(tomcat/conf)

<security-constraint>
	  <web-resource-collection>
		<web-resource-name>restricted methods</web-resource-name>
		<url-pattern>/*</url-pattern>
		<http-method>DELETE</http-method>
		<http-method>OPTIONS</http-method>
		<http-method>TRACE</http-method>
		<http-method>PUT</http-method>
	  </web-resource-collection>
	  <auth-constraint />
	</security-constraint>  

Any of the above mentioned configuration didn't helped to achieve the required thing.

Anyone has configured the same?

Attached screen-shot of burp suite tool. 

imageHTTP Method

Thanks,
Hardik

0 REPLIES 0