diff --git a/_data/sidebars/am_3_x_sidebar.yml b/_data/sidebars/am_3_x_sidebar.yml index 11855e44f..798ec601a 100644 --- a/_data/sidebars/am_3_x_sidebar.yml +++ b/_data/sidebars/am_3_x_sidebar.yml @@ -552,6 +552,12 @@ entries: - title: Overview output: web url: /am/current/am_userguide_expression_language.html + - title: CORS Configuration + output: web + subfolderitems: + - title: Overview + output: web + url: /am/current/am_userguide_cors_configuration.html - title: Administration Guide output: web diff --git a/images/am/current/graviteeio-am-userguide-cors-default.png b/images/am/current/graviteeio-am-userguide-cors-default.png new file mode 100644 index 000000000..a08bd8d56 Binary files /dev/null and b/images/am/current/graviteeio-am-userguide-cors-default.png differ diff --git a/images/am/current/graviteeio-am-userguide-cors-settings-yml.png b/images/am/current/graviteeio-am-userguide-cors-settings-yml.png new file mode 100644 index 000000000..46dd63335 Binary files /dev/null and b/images/am/current/graviteeio-am-userguide-cors-settings-yml.png differ diff --git a/pages/am/3.x/breaking-changes/breaking-changes-3.21.adoc b/pages/am/3.x/breaking-changes/breaking-changes-3.21.adoc new file mode 100644 index 000000000..e26ef1db8 --- /dev/null +++ b/pages/am/3.x/breaking-changes/breaking-changes-3.21.adoc @@ -0,0 +1,19 @@ += Breaking changes in 3.21 +:page-sidebar: am_3_x_sidebar +:page-permalink: am/current/am_breaking_changes_3.21.html +:page-folder: am/installation-guide +:page-layout: am + +NOTE: To take advantage of these new features and incorporate these breaking changes, **use the migration guide available link:{{ '/am/current/am_installguide_migration.html' | relative_url }}[here]**. + +== Docker images + +From this version, to be complient with https://www.tenable.com/audits/items/CIS_Docker_v1.3.1_L1_Docker_Linux.audit:bdcea17ac365110218526796ae3095b1[CIS_Docker_v1.3.1_L1] the docker images are now using the user `graviteeio` +This means that if you use the official images and deploy them to Kubernetes, nothing changes. +If you build your own Dockerfile from Gravitee images, you must give the right rights to the modifications you add. +If you deploy in `openshift`, you have to add the following configure: + +```yaml +securityContext: + runAsGroup: 1000 +``` \ No newline at end of file diff --git a/pages/am/3.x/user-guide/cors/user-guide-cors-configuration.adoc b/pages/am/3.x/user-guide/cors/user-guide-cors-configuration.adoc new file mode 100644 index 000000000..f58fd9ca6 --- /dev/null +++ b/pages/am/3.x/user-guide/cors/user-guide-cors-configuration.adoc @@ -0,0 +1,88 @@ += CORS Configuration +:page-sidebar: am_3_x_sidebar +:page-permalink: am/current/am_userguide_cors_configuration.html +:page-folde![](../../../../../../../../../Desktop/graviteeio-am-userguide-cors-default.png)r: am/user-guide +:page-layout: am + +== Overview + +The CORS (Cross-Origin Resource Sharing) is a mechanism that allows resources on a *web page* to be requested from another domain. + +To understand well how to deal with CORS, you should first take a look at the https://www.w3.org/TR/cors[specification]. + +Gravitee Access Management (AM) has two separate CORS configurations in two different `gravitee.yml` files; one is for AM console and the other one is for AM gateway. +This document specifically focuses on AM gateway side CORS configuration. +From AM `v3.21.x` you can configure CORS in the domain level as well. +The CORS configuration in the domain level does not affect AM console CORS configuration. + +== Configure CORS in Domain Level + +Follow the below steps to create or update domain level CORS configuration. + +. Select *Settings > Entrypoints*. You should see configuration like below: ++ +image::{% link images/am/current/graviteeio-am-userguide-cors-default.png %}[CORS domain settings,400,380] ++ +. Enable the configuration and provide appropriate value +. Save the configuration. + +NOTE: The default value for the origin is `*` and max age is `86400 seconds (1 day)` if you do not provide any values. + +WARNING: Domain level CORS settings only affect the domain for which the settings are enabled. +You should use the settings in `gravitee.yml` file if you wish to use a single CORS configuration for all the domains. + +== Disabling The Domain level CORS Configuration + +Disabling the domain level CORS configuration enables gateway level CORS configuration automatically. +The gateway configuration uses values from the `gravitee.yml` file. +The default values are used for both domain level and gateway level configurations if custom values are unspecified. + + +== CORS Default Values + +[cols="2",options="header"] +|========================================================= +|Property | Default Value + +|allow-origin| * +|allow-methods| OPTIONS, GET, POST, PUT, DELETE, PATCH +|allow-headers| Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With, If-Match, X-Xsrf-Token +|max-age| 864000 seconds (1 day) +|allow-credentials| false +|========================================================= + +Here is the screenshot of these variables from the `gravitee.yml` file + +image::{% link images/am/current/graviteeio-am-userguide-cors-settings-yml.png %}[Gateway CORS defailt settings,500,400] + + +== Brief Definition + +=== Access-Control-Allow-Origin + +Allow to specify one or multiples origin(s) that may access the resource. +If you want to allow all origins, you can put `*` but it's not safe for production. + +=== Access-Control-Allow-Methods + +Specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request. + +=== Access-Control-Allow-Headers + +Here you specify the headers allowed to be used by your requests. +Typically, on your request headers you will have a header `Access-Control-Request-Headers` which request CORS to be configured to allow its values. + +Let's see a simple use case: + +A user make a call with a header `Access-Control-Request-Headers: my-header`. + +- if the CORS `Access-Control-Allow-Headers` is not configured with the header `my-header`, the request will get a 400 HTTP status. +- if the CORS `Access-Control-Allow-Headers` is configured with the header `my-header` at least, the request will get a 200 HTTP status. + +=== Access-Control-Allow-Credentials + +Indicates whether or not the response to the request can be exposed when the credentials flag is true. + +=== Access-Control-Allow-Max-Age + +This header indicates how long the results of a preflight request can be cached.