How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure a CORS filter in IG 5.x and 6.x?

Last updated Mar 9, 2021

The purpose of this article is to provide assistance on configuring a Cross-origin resource sharing (CORS) filter in IG.


IG 7 introduces a CorsFilter, which is available to configure policies for CORS to allow requests to be made across domains from user agents. See Configuration Reference › CorsFilter for further information.

In earlier versions, you must configure CORS in the web application container. See the following section, Configuring a CORS filter (pre-IG 7) for further information.

Configuring a CORS filter (pre-IG 7)

In pre-IG 7, you can configure a CORS filter using any of the web container-level instructions as follows: 

For example, a CORS filter in Tomcat would look similar to this: 

<filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name></param-name> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.allowed.methods</param-name> <param-value>GET,POST,PUT,DELETE,PATCH,OPTIONS,HEAD</param-value> </init-param> <init-param> <param-name>cors.allowed.headers</param-name> <param-value>Authorization,Content-Type,X-Requested-With,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-OpenAM-Username,X-OpenAM-Password,iPlanetDirectoryPro,Accept-API-Version,If-Match,If-None-Match,Accept-Encoding,Accept-Language,Cache-Control,Connection</param-value> </init-param> <init-param> <param-name></param-name> <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value> </init-param> <init-param> <param-name></param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

If you need IG to add the appropriate headers to CORS requests, you can use a CORS filter as described here: Gateway Guide › Setting Up IG As an UMA Resource Server. The CORS filter handles pre-flight (HTTP OPTIONS) requests and responses for all HTTP operations, and adds the appropriate headers to CORS requests.

See Also

How do I troubleshoot issues with CORS in AM?

SameSite cookie support in AM and IG

Installation Guide › Enabling CORS Support

Apache Tomcat - CORS Filter

Jetty - Cross Origin Filter

Related Training


Related Issue Tracker IDs

OPENIG-467 (Support for Cross Origin Resource Sharing (CORS))

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.