Match CORS 'allowedOrigins' with regular expression in Extended Settings

Any way for the watt.server.cors.allowedOrigins option to accept a regular expression?

try something like ^. * . * $ but it does not work

Thanks

HTH,

Apply IS_9.7_Core_Fix11 for regular expression support with allowed origins.

The following additional information is found in the Fix Readme.txt file:

"PIE-41090 (IS_9.7_Core_Fix11)

When CORS is enabled, the watt.server.cors.allowedOrigins server
configuration parameter indicates the origin servers from which Integration Server will accept requests. The
watt.server.cors.allowedOrigins value can be a comma-separated list identifying the specific origin servers or a “*”, meaning any origin server is allowed. A comma-separated list can become long and difficult to maintain.

To make the list of origin servers easier to maintain,
Integration Server now supports the use of regular expressions in the comma-separated list of allowed origin servers. Integration Server treats any value in the comma-separated list that begins with “r:” as a regular expression. Integration Server treats any value that does not begin with “r:” as a simple string. The server configuration parameter uses the Java regular expression syntax, as documented at
Pattern (Java Platform SE 7 ).
A regular expression value must match the entire value of the Origin header in the HTTP request for it to be considered a match.

Example:

watt.server.cors.allowedOrigins=http://test1.domain.com,r:https?://..test2.domain.com:[0-9]+,r:.+.[a-zA-Z]-int.domain.com

Integration Server treats the first value,
http://test1.domain.com”, as a simple string. If an Origin header contains this value, it will be allowed.

The second value, “r:https?://..test2.domain.com:[0-9]+", contains a regular expression. The “r:” is not part of the regular expression. The actual regular expression used to match supplied Origin headers is:
"https?://.
.test2.domain.com:[0-9]+”.

The third value, “r:.+.[a-zA-Z]-int.domain.com", contains a
regular expression. The “r:” is not part of the regular expression. The actual regular expression used to match supplied Origin headers is ".+.[a-zA-Z]
-int.domain.com”.

“Origin: http://test1.domain.com” will be allowed because it is equal to the first value.

“Origin: http://my.test2.domain.com:8080” will be allowed because it matches the second value.

“Origin: https://my.test2.domain.com:8088” will be allowed
because it matches the second value.

“Origin: http://my.test2.domain.com” will not be allowed. If it
had a port number, it would match the second value.

“Origin: nbps://example.prod-int.domain.com” will be allowed
because it matches the third value.

“Origin: example.qa.staging-int.domain.com” will be allowed
because it matches the third value.

“Origin: example.dev1-int.domain.com” will not be allowed. If
the second token of the host name did not include any digits, it
would have matched the third value.

watt.server.cors.allowedOrigins=*

The simple wildcard “*” continues to work as before. It
indicates that any origin server will be allowed.

Regular expressions that match any host name, IP address and
port (e.g. “r:.+” and “r:.") will have the same effect as "”.

Note that when CORS is enabled, Integration Server evaluates the
list of regular expressions in watt.server.cors.allowedOrigins
sequentially for every request. Integration Server performs a
regular expression match operation on each regular expression
until a match is found or all regular expressions in the list
have been evaluated. Software AG recommends that you put the
more frequently matched regular expressions at the beginning of
the comma-separated list."