Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
712:collector_data_rest_api [2025/09/24 14:50] Filpes, Claudia712:collector_data_rest_api [2026/02/18 09:33] (current) – [Cross-Origin Resource Sharing] Deutschmann, Niklas
Line 267: Line 267:
 </code> </code>
  
 +==== Cross-Origin Resource Sharing ====
 +Starting with Stages 7.12.5, CORS (Cross-Origin Resource Sharing) can be configured for collector data API requests. This configuration change is **only** needed when another web application needs to make **client-side HTTP requests** to the API (because the same-origin policy is only enforced in web browsers)
  
 +The following configuration can be added to ''web-customer.xml'' (at the beginning right after the opening ''<web-app>'' tag). The ''cors.allowed.origins'' parameter can **not** be set to "*", so you can not allow API requests from any origin.
 +<code xml>
 +<filter>
 +    <filter-name>CorsFilter</filter-name>
 +    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
 +    <init-param>
 +        <!-- URLs of the web applications (comma-separated) for which API requests should be allowed -->
 +        <param-name>cors.allowed.origins</param-name>
 +        <param-value>https://stages-api-client1.example.com, https://stages-api-client2.example.com</param-value>
 +    </init-param>
 +    <init-param>
 +        <param-name>cors.support.credentials</param-name>
 +        <param-value>true</param-value>
 +    </init-param>
 +    <init-param>
 +        <param-name>cors.allowed.methods</param-name>
 +        <param-value>GET,OPTIONS</param-value>
 +    </init-param>
 +    <init-param>
 +        <param-name>cors.allowed.headers</param-name>
 +        <param-value>Origin,Authorization</param-value>
 +    </init-param>
 +</filter>
 +<filter-mapping>
 +    <filter-name>CorsFilter</filter-name>
 +    <url-pattern>/api/1/collectordata/*</url-pattern>
 +</filter-mapping>
 +</code>
 +
 +**Testing your configuration:**
 +
 +The best way to test the configuration:
 +  * Go to the website that should be the origin of the API requests (https://stages-api-client1.example.com in the example above)
 +  * Open the browser's developer tools (F12)
 +  * In the "Console" tab, execute the following request
 +
 +<code>
 +fetch("https://<Stages Server URL>/stages/api/1/collectordata/<Record Key>", { headers: { "Authorization": "Bearer <API Token>" }}).then(r => r.json()).then(console.log);
 +</code>