MicroStrategy ONE

Adding custom headers for CORS

Cross-Origin Resource Sharing (CORS) provides a way for a web application running in one origin (domain, protocol, and port) to access selected resources from a server in a different origin. A cross-origin HTTP request uses additional HTTP headers to tell the browser to let the web application share resources. For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts. This means that when a web application requests HTTP resources from a different origin, the response from the other origin must include the right CORS headers.

This example demonstrates how to customize authentication if you need to add additional headers to the list of CORS headers passed in the request and the response. The customization in this example requires only one custom file—an XML configuration file that Spring Security uses during authentication.

To help you get started, we have provided a sample file that you can download. You can use the code in this file as the basis for creating your own customization.

This customization can be used with either Standard or LDAP authentication.

Prerequisites

  • MicroStrategy Library is deployed
  • MicroStrategy Intelligence Server is running

XML file used in the customization

  • MainConfig.xml

To see what the customization code looks like and try out the customization in MicroStrategy Library, follow the instructions below.

  1. Download the sample file and extract the contents.

  2. Deploy your MicroStrategy Library application.

  3. Create a custom XML configuration file that allows additional CORS headers to be used during authentication and deploy it in Library.

    1. In the root folder of your deployed MicroStrategy Library application, navigate to WEB-INF\classes\auth\ and create a new folder called custom, if it does not already exist.
    2. Copy the file that you downloaded, MainConfig.xml, to the custom folder you just created.
    3. Open MainConfig.xml in a text editor. It includes the CORS bean definition (the <bean> node whose id attribute is set to "corsSource"), shown in bold below.

      Copy
      <?xml version="1.0" encoding="UTF-8"?>
      <beans xmlns="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:util="http://www.springframework.org/schema/util"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
                    http://www.springframework.org/schema/context
                    http://www.springframework.org/schema/context/spring-context-4.1.xsd
                    http://www.springframework.org/schema/util
                    http://www.springframework.org/schema/util/spring-util-4.1.xsd">
        <bean id="corsSource" class="com.microstrategy.auth.CorsConfigurationSourceWrapper" >
          <property name="allowedHeaders">
            <list>
              <value>Authorization</value>
              <value>Cache-Control</value>
              <value>Content-Type</value>
              <value>x-mstr-authToken</value>
              <value>x-mstr-projectId</value>
              <value>x-mstr-identitytoken</value>
              <value>X-Requested-With</value>
              <value>updatePolicy</value>
            </list>
          </property>
          <property name="exposedHeaders">
            <list>
              <value>x-mstr-authToken</value>
              <value>x-mstr-projectId</value>
              <value>x-mstr-identitytoken</value>
              <value>updatePolicy</value>
            </list>
          </property>
       </bean>
      </beans>
    4. Use the allowedHeaders and exposedHeaders properties to configure the additional headers allowed in the CORS request and response.

      • The allowedHeaders property defines headers allowed in the CORS request.
      • The exposedHeaders property defines headers that are allowed in the CORS response.
    5. Under the <list> node for each property, add a new <value> node for each new header that you want to include in either the request or response.
    6. Save mainConfig.xml.
  4. Use the customization in MicroStrategy Library.

    To deploy your customization, simply restart your web server. When you open MicroStrategy Library, you should be able to request resources from a web application running in a different origin (domain, protocol, and port) from Library and see the additional headers in the request and response.