Blog 3 april, 2017

Enable CORS with Camel Rest DSL

When creating a public rest API you have to take into account how and who is using your API. This is not only important in how you structure your API but also how you expose your API. One of the issues I’ve faced with hosting a public API is CORS. Users of the API got the following error, or a variation of, it when calling the API from javascript.

Cross-Origin Request Blocked: ….

In short, it means that you have to enable CORS or “Cross-origin resource sharing”. When a website wants to access a public API that is hosted on a different domain it is normally blocked by the “Same-origin policy”. This policy, implemented by your browser blocks any call that is not in the same domain (hostname and port) as the website that is shown in your browser. For APIs that belong to the website this is normally not a real problem because you can simply serve the API via the same domain. However with public APIs this is not possible. With CORS your browser allows you to make cross domain requests.

When a browser has to get data from a public API that is hosted on a different domain it uses CORS to checks if the request is allowed. The browser sends an OPTIONS request to the API stating it wants to make a request. Part of the request are the custom headers you have specified for the call. The public API has to accept this OPTIONS request. After the request has been accepted the browser will execute the actual request.

As the rest API must accept the request it means that your API has to contain some configuration that handles the CORS requests. With the camel rest DSL this is relatively easy. First you have to enable the CORS, for simple requests this is enough. I however had to allow some custom headers as well. This meant that I had to white list my custom headers.

restConfiguration()
        .component("jetty")
        .host("0.0.0.0")
        .port(8888)
        .bindingMode(RestBindingMode.json)
        .enableCORS(true)
        .corsHeaderProperty("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers,CustomHeader1, CustomHeader2")
        ;

Meer blogs

Techblog Blogs

Kafka with Camel

Kafka is a populair opensource, distributed streaming, platform which prides itself on key features as fault-tolerance and replay options. My colleague Jan van Zoggel wrote a nice “getting started” blog…

Dirk Janssen
18 oktober, 2016

Techblog Blogs

Fuse Fabric MQ provision exception

When using the discovery endpoint to connect to a master slave ActiveMQ cluster I ran into an error. It is worth to note that this exception is not caused by…

Pim Gaemers
24 december, 2014

Techblog Blogs

What is HATEOAS?

With probably the most unpronounceable acronym in the world of IT, and there are a lot, HATEOAS is also one of the most obscure and misunderstood constraints of the REST…

Pim Gaemers
18 maart, 2016

Techblog Blogs

Monitoring your beer production with Spring Boot Metrics

Let’s take a small break from our Docker/Kubernetes series in which we try to optimize our beer-brewing and -selling throughput and focus a bit more on beer-brewing and -sales measurement….

Roger Goossens
4 maart, 2020

Techblog Architectuur

Testautomatisering in een Middleware landschap

Inleiding/Context Bij bijna alle opdrachtgevers waar Rubix werkt speelt het onderwerp testautomatisering. De ene opdrachtgever is hier al verder mee dan de andere. Sommige opdrachtgevers hebben reeds een tool in…

René Noort
11 juli, 2017