Discussion:
How to enable CORS on Fuseki2
Colin Maudry
2015-07-15 17:24:30 UTC
Permalink
Hello people,

I did follow the instructions in the Jetty documentation, but that was
not very helpful, as it's very succint.

After experimenting, I realized that we have to be quite explicit in our
configuration.

So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI
instance, doing this:

https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221

For the lazy ones:

1. Open |webapp/WEB-INF/web.xml
2. Insert the following snipped before any other <filter>
|

<!-- CORS filter-->

<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified, Authorization</param-value>
</init-param>
<init-param>
<param-name>exposedHeaders</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

3. Configure to your taste, but it works as-is. The key, compared to what the documentation says,
is that you should configure the servers to return certain headers that indicate CORS is enabled.

Cheers,
Colin


On 02/06/15 17:52, Jeffrey Witt wrote:

Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying
the enabled *CORS* support, especially important for javascript only,
single page apps.

But, as I¹ve gleaned from this post:
https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by
default for Fueski2. I wonder if it is now possible to enable *CORS* for
Fueski2. If so could someone guide me through the enabling process.

(I have little to no experience with writing in Java, so I might need
detailed instructions).

Thanks in advance. jw

Hi there,

You'r right - *CORS* is not enabled in Fuseki2. It would eb re

if you are deploying Fuseki2 with the standalone server jar
(fuseki-server.jar), not the WAR file, you can follow the instructions
for Jetty [1] to enable it (no Java required, editing web.xml is required).

The web.xml file is in webapp/WEB-INF/web.xml of what usually FUSEKI_HOME

The war file can also be done - it needs unpacking, changing web.xml and
repacking.

----------- There's machinery in Fuseki2 for this (and a request routing
problem - now being fixed).

What would help me is someone with experience to advise what the headers
should be for the various options and especially whether one choice of
settings is good for everyone or whether this needs configuration in
some way. Even if the latter, what is the best out-of-the-box settings?

If it is one universal set of settings, is better (safe) to do in
Fuseki2 or, for example when running in Tomcat, should Tomcat do it?

Andy

[1]
http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html
Andy Seaborne
2015-07-19 17:39:49 UTC
Permalink
Hi Colin,

Thank you very much for writing this up.

Andy
Post by Colin Maudry
Hello people,
I did follow the instructions in the Jetty documentation, but that was
not very helpful, as it's very succint.
After experimenting, I realized that we have to be quite explicit in our
configuration.
So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI
https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221
1. Open |webapp/WEB-INF/web.xml
2. Insert the following snipped before any other <filter>
|
<!-- CORS filter-->
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With, Content-Type, Last-Modified, Authorization</param-value>
</init-param>
<init-param>
<param-name>exposedHeaders</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3. Configure to your taste, but it works as-is. The key, compared to what the documentation says,
is that you should configure the servers to return certain headers that indicate CORS is enabled.
Cheers,
Colin
Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying
the enabled *CORS* support, especially important for javascript only,
single page apps.
https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by
default for Fueski2. I wonder if it is now possible to enable *CORS* for
Fueski2. If so could someone guide me through the enabling process.
(I have little to no experience with writing in Java, so I might need
detailed instructions).
Thanks in advance. jw
Hi there,
You'r right - *CORS* is not enabled in Fuseki2. It would eb re
if you are deploying Fuseki2 with the standalone server jar
(fuseki-server.jar), not the WAR file, you can follow the instructions
for Jetty [1] to enable it (no Java required, editing web.xml is required).
The web.xml file is in webapp/WEB-INF/web.xml of what usually FUSEKI_HOME
The war file can also be done - it needs unpacking, changing web.xml and
repacking.
----------- There's machinery in Fuseki2 for this (and a request routing
problem - now being fixed).
What would help me is someone with experience to advise what the headers
should be for the various options and especially whether one choice of
settings is good for everyone or whether this needs configuration in
some way. Even if the latter, what is the best out-of-the-box settings?
If it is one universal set of settings, is better (safe) to do in
Fuseki2 or, for example when running in Tomcat, should Tomcat do it?
Andy
[1]
http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html
Andy Seaborne
2015-08-21 19:14:56 UTC
Permalink
To push this forward, here's a JIRA proposing to add the setup Colin gives:

https://issues.apache.org/jira/browse/JENA-1014

Question: should this be in Fuseki when running as a war file in Tomcat
etc? I think the answer is "yes".

Next question: Should this be added to all responses? HTML pages, /$/
admin operations and dataset services? For the usual use cases, it
seems it should but is that always true?

If this is the way to go, to produce a jetty-independent version for the
war file, then taking a clone of jetty's CrossOriginFilter is needed -
fortunately, that file explicitly syas it is dual licensed, Eclipse and
Apache.

Andy
Post by Andy Seaborne
Hi Colin,
Thank you very much for writing this up.
Andy
Post by Colin Maudry
Hello people,
I did follow the instructions in the Jetty documentation, but that was
not very helpful, as it's very succint.
After experimenting, I realized that we have to be quite explicit in our
configuration.
So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI
https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221
1. Open |webapp/WEB-INF/web.xml
2. Insert the following snipped before any other <filter>
|
<!-- CORS filter-->
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With,
Content-Type, Last-Modified, Authorization</param-value>
</init-param>
<init-param>
<param-name>exposedHeaders</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3. Configure to your taste, but it works as-is. The key, compared to
what the documentation says,
is that you should configure the servers to return certain headers
that indicate CORS is enabled.
Cheers,
Colin
Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying
the enabled *CORS* support, especially important for javascript only,
single page apps.
https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by
default for Fueski2. I wonder if it is now possible to enable *CORS* for
Fueski2. If so could someone guide me through the enabling process.
(I have little to no experience with writing in Java, so I might need
detailed instructions).
Thanks in advance. jw
Hi there,
You'r right - *CORS* is not enabled in Fuseki2. It would eb re
if you are deploying Fuseki2 with the standalone server jar
(fuseki-server.jar), not the WAR file, you can follow the instructions
for Jetty [1] to enable it (no Java required, editing web.xml is required).
The web.xml file is in webapp/WEB-INF/web.xml of what usually FUSEKI_HOME
The war file can also be done - it needs unpacking, changing web.xml and
repacking.
----------- There's machinery in Fuseki2 for this (and a request routing
problem - now being fixed).
What would help me is someone with experience to advise what the headers
should be for the various options and especially whether one choice of
settings is good for everyone or whether this needs configuration in
some way. Even if the latter, what is the best out-of-the-box settings?
If it is one universal set of settings, is better (safe) to do in
Fuseki2 or, for example when running in Tomcat, should Tomcat do it?
Andy
[1]
http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html
Colin Maudry
2015-08-21 21:04:15 UTC
Permalink
Hi Andy,

I'm not knowledgeable enough with CORS to advise whether the
configuration I shared should be shipped with all Fuseki2 downloads,
applying to all URLs. There might be security caveats.

If I cared about security, I would align the URL patterns allowed for
CORS with those I configured in shiro.ini, those that are public: what
is public in shiro.ini should be allowed for CORS, to enable fellow
developers to use my endpoint for their Web apps.

In any case, I think adding a section in Fuseki2 documentation showing
how to get CORS working (bases on the configuration I suggested) would
be a good step forward, and may bring more people in the discussion.

There would be a warning making clear that the default configuration may
not be fit for production.

I hope I gave a beginning of answer to your question :)

Colin
@CMaudry
Post by Andy Seaborne
https://issues.apache.org/jira/browse/JENA-1014
Question: should this be in Fuseki when running as a war file in
Tomcat etc? I think the answer is "yes".
Next question: Should this be added to all responses? HTML pages, /$/
admin operations and dataset services? For the usual use cases, it
seems it should but is that always true?
If this is the way to go, to produce a jetty-independent version for
the war file, then taking a clone of jetty's CrossOriginFilter is
needed - fortunately, that file explicitly syas it is dual licensed,
Eclipse and Apache.
Andy
Post by Andy Seaborne
Hi Colin,
Thank you very much for writing this up.
Andy
Post by Colin Maudry
Hello people,
I did follow the instructions in the Jetty documentation, but that was
not very helpful, as it's very succint.
After experimenting, I realized that we have to be quite explicit in our
configuration.
So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI
https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221
1. Open |webapp/WEB-INF/web.xml
2. Insert the following snipped before any other <filter>
|
<!-- CORS filter-->
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With,
Content-Type, Last-Modified, Authorization</param-value>
</init-param>
<init-param>
<param-name>exposedHeaders</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3. Configure to your taste, but it works as-is. The key, compared to
what the documentation says,
is that you should configure the servers to return certain headers
that indicate CORS is enabled.
Cheers,
Colin
Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying
the enabled *CORS* support, especially important for javascript only,
single page apps.
https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by
default for Fueski2. I wonder if it is now possible to enable *CORS* for
Fueski2. If so could someone guide me through the enabling process.
(I have little to no experience with writing in Java, so I might need
detailed instructions).
Thanks in advance. jw
Hi there,
You'r right - *CORS* is not enabled in Fuseki2. It would eb re
if you are deploying Fuseki2 with the standalone server jar
(fuseki-server.jar), not the WAR file, you can follow the instructions
for Jetty [1] to enable it (no Java required, editing web.xml is required).
The web.xml file is in webapp/WEB-INF/web.xml of what usually FUSEKI_HOME
The war file can also be done - it needs unpacking, changing web.xml and
repacking.
----------- There's machinery in Fuseki2 for this (and a request routing
problem - now being fixed).
What would help me is someone with experience to advise what the headers
should be for the various options and especially whether one choice of
settings is good for everyone or whether this needs configuration in
some way. Even if the latter, what is the best out-of-the-box settings?
If it is one universal set of settings, is better (safe) to do in
Fuseki2 or, for example when running in Tomcat, should Tomcat do it?
Andy
[1]
http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html
Andy Seaborne
2015-08-22 09:20:33 UTC
Permalink
Colin - caveats noted!

I'm in a similar position to you - I've only had to make CORS work, not
architect for all cases, which is why I'm throwing this out on users@ in
the hope of building a proper picture.

Andy
Post by Colin Maudry
Hi Andy,
I'm not knowledgeable enough with CORS to advise whether the
configuration I shared should be shipped with all Fuseki2 downloads,
applying to all URLs. There might be security caveats.
If I cared about security, I would align the URL patterns allowed for
CORS with those I configured in shiro.ini, those that are public: what
is public in shiro.ini should be allowed for CORS, to enable fellow
developers to use my endpoint for their Web apps.
In any case, I think adding a section in Fuseki2 documentation showing
how to get CORS working (bases on the configuration I suggested) would
be a good step forward, and may bring more people in the discussion.
There would be a warning making clear that the default configuration may
not be fit for production.
I hope I gave a beginning of answer to your question :)
Colin
@CMaudry
Post by Andy Seaborne
https://issues.apache.org/jira/browse/JENA-1014
Question: should this be in Fuseki when running as a war file in
Tomcat etc? I think the answer is "yes".
Next question: Should this be added to all responses? HTML pages, /$/
admin operations and dataset services? For the usual use cases, it
seems it should but is that always true?
If this is the way to go, to produce a jetty-independent version for
the war file, then taking a clone of jetty's CrossOriginFilter is
needed - fortunately, that file explicitly syas it is dual licensed,
Eclipse and Apache.
Andy
Post by Andy Seaborne
Hi Colin,
Thank you very much for writing this up.
Andy
Post by Colin Maudry
Hello people,
I did follow the instructions in the Jetty documentation, but that was
not very helpful, as it's very succint.
After experimenting, I realized that we have to be quite explicit in our
configuration.
So I managed to have my Fuseki2 SPARQL endpoint accessible to a YASGUI
https://github.com/YASGUI/YASGUI/issues/65#issuecomment-121673221
1. Open |webapp/WEB-INF/web.xml
2. Insert the following snipped before any other <filter>
|
<!-- CORS filter-->
<filter>
<filter-name>cross-origin</filter-name>
<filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
<init-param>
<param-name>allowedOrigins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>allowedMethods</param-name>
<param-value>GET,POST,DELETE,PUT,HEAD,OPTIONS</param-value>
</init-param>
<init-param>
<param-name>allowedHeaders</param-name>
<param-value>Accept, Origin, X-Requested-With,
Content-Type, Last-Modified, Authorization</param-value>
</init-param>
<init-param>
<param-name>exposedHeaders</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cross-origin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3. Configure to your taste, but it works as-is. The key, compared to
what the documentation says,
is that you should configure the servers to return certain headers
that indicate CORS is enabled.
Cheers,
Colin
Hi, I just updated to Fuseki2 from Fuseki1. With Fuseki1 I was enjoying
the enabled *CORS* support, especially important for javascript only,
single page apps.
But, as I¹ve gleaned from this post:DISTINCT
https://issues.apache.org/jira/browse/JENA-652 *CORS* is not enabled by
default for Fueski2. I wonder if it is now possible to enable *CORS* for
Fueski2. If so could someone guide me through the enabling process.
(I have little to no experience with writing in Java, so I might need
detailed instructions).
Thanks in advance. jw
Hi there,
You'r right - *CORS* is not enabled in Fuseki2. It would eb re
if you are deploying Fuseki2 with the standalone server jar
(fuseki-server.jar), not the WAR file, you can follow the instructions
for Jetty [1] to enable it (no Java required, editing web.xml is required).
The web.xml file is in webapp/WEB-INF/web.xml of what usually FUSEKI_HOME
The war file can also be done - it needs unpacking, changing web.xml and
repacking.
----------- There's machinery in Fuseki2 for this (and a request routing
problem - now being fixed).
What would help me is someone with experience to advise what the headers
should be for the various options and especially whether one choice of
settings is good for everyone or whether this needs configuration in
some way. Even if the latter, what is the best out-of-the-box settings?
If it is one universal set of settings, is better (safe) to do in
Fuseki2 or, for example when running in Tomcat, should Tomcat do it?
Andy
[1]
http://www.eclipse.org/jetty/documentation/current/cross-origin-filter.html
Andy Seaborne
2015-08-27 12:15:15 UTC
Permalink
All,

CORS support added to Fuseki2. It is in the latest SNAPSHOT build
(2015-08-27).

Please would people try this out and give feedback (CORS does not affect
me at the moment so I'm not a reliable test).

It should also work when using Fuseki2 as a WAR file. Confirmation of
that would be very helpful.

Andy

https://issues.apache.org/jira/browse/JENA-1014

Loading...