Add CORS support to REST module

RESTWS-382 Access-Control-Allow-Origin in response headers is in the to-do list of my GSoC project. However as the use case is not well understood there, the issue is kind of in halt. So I thought it’s worth a discussion.

Say trying to call the OpenMRS api on However the request will be blocked because of the same-origin policy followed by all modern browsers. Since CORS is not setup, no requests originating outside of domain-b (or port) will be permitted access.

In our case if domain-b (rest service) is willing to accept a request from domain-a, api service may response with the header:


which tells the browser to allow cross origin requests from domian-a.

So IMO this is an essential feature to be added to the rest module. Though further explanation won’t be necessary, here are some sample requests to OpenMRS api and to an API that supports CORS (

$ curl --verbose -H "Origin:" http://localhost:8081/openmrs-standalone/ws/rest/v1/session
      > GET /openmrs-standalone/ws/rest/v1/session HTTP/1.1
      > Origin:

      < HTTP/1.1 200 OK
      < Set-Cookie: JSESSIONID=426827D5C10EC3E4C5B2EE4EDBD4679A; Path=/openmrs-standalone/; HttpOnly

$ curl --verbose

      > User-Agent: curl/7.38.0
      > Host:

      < HTTP/1.1 200 OK
      < Access-Control-Allow-Origin: *
      < Access-Control-Allow-Credentials: true

Workaround is to add a CORS_Filter to Tomcat (suggested by @pascal). But this will permit universal access from all origins and is platform specific.

So the solution I believe is to add configuration option which let users specify list of allowed domains, similar to “.allowedips”. Then it would be a matter of adding “Access-Control-Allow-Origin” to response headers after doing a simple verification on the API backend.

I see this approach is being followed by many major API services (Atlasian, Amazon).

@jeremy @raff

1 Like

@gayanw thanks for following this up! :slight_smile:

The last ticket comment says that @pascal just configured a filter in tomcat to do this. Shouldn’t that be enough?

@dkayiwa, with @gayanw’s solution, the OpenMRS admin user with be able to configure which IPs (or domains?) are allowed to query the API. This is possible with the Tomcat config, but will require editing an XML file on the file system.

1 Like

Hi @pascal, would you please tell me, if I chose OpenMRS SDK to deal with my servers, where can find that XML file in my windows machine? Where is the Tomcat server is being created? (I couldn’t find it either) :grimacing:

They are not in the location mentioned in the docs?

I think it is in here: /home/<>/openmrs/server/tmp/openmrs/WEB-INF/web.xml

Or it can be configured per module by editing modules webapp/WEB-INF/web.xml

1 Like