import ballerina/http;
import ballerina/log;
@http:ServiceConfig {
    cors: {
        allowOrigins: ["http://www.m3.com", "http://www.hello.com"],
        allowCredentials: false,
        allowHeaders: ["CORELATION_ID"],
        exposeHeaders: ["X-CUSTOM-HEADER"],
        maxAge: 84900
    }
}
service crossOriginService on new http:Listener(9092) {
    @http:ResourceConfig {
        methods: ["GET"],
        path: "/company",
        cors: {
            allowOrigins: ["http://www.bbc.com"],
            allowCredentials: true,
            allowHeaders: ["X-Content-Type-Options", "X-PINGOTHER"]
        }
    }
    resource function companyInfo(http:Caller caller, http:Request req) {
        http:Response res = new;
        json responseJson = { "type": "middleware" };
        res.setJsonPayload(responseJson);
        var result = caller->respond(res);
        if (result is error) {
           log:printError(result.reason(), err = result);
        }
    }
    @http:ResourceConfig {
        methods: ["POST"],
        path: "/lang"
    }
    resource function langInfo(http:Caller caller, http:Request req) {
        http:Response res = new;
        json responseJson = { "lang": "Ballerina" };
        res.setJsonPayload(responseJson);
        var result = caller->respond(res);
        if (result is error) {
           log:printError(result.reason(), err = result);
        }
    }
}

CORS

This sample demonstrates the Ballerina server connector CORS configuration. CORS headers can be applied in both the service-level and the resource-level. Service-level CORS headers apply to all the resources unless there are headers configured at the resource-level. Ballerina CORS supports both simple and pre-flight requests.

import ballerina/http;
import ballerina/log;
@http:ServiceConfig {
    cors: {
        allowOrigins: ["http://www.m3.com", "http://www.hello.com"],
        allowCredentials: false,
        allowHeaders: ["CORELATION_ID"],
        exposeHeaders: ["X-CUSTOM-HEADER"],
        maxAge: 84900
    }
}
service crossOriginService on new http:Listener(9092) {

Service-level CORS headers apply globally to each resource.

    @http:ResourceConfig {
        methods: ["GET"],
        path: "/company",
        cors: {
            allowOrigins: ["http://www.bbc.com"],
            allowCredentials: true,
            allowHeaders: ["X-Content-Type-Options", "X-PINGOTHER"]
        }
    }
    resource function companyInfo(http:Caller caller, http:Request req) {
        http:Response res = new;
        json responseJson = { "type": "middleware" };
        res.setJsonPayload(responseJson);
        var result = caller->respond(res);
        if (result is error) {
           log:printError(result.reason(), err = result);
        }
    }

Resource-level CORS headers override the service-level CORS headers.

    @http:ResourceConfig {
        methods: ["POST"],
        path: "/lang"
    }
    resource function langInfo(http:Caller caller, http:Request req) {
        http:Response res = new;
        json responseJson = { "lang": "Ballerina" };
        res.setJsonPayload(responseJson);
        var result = caller->respond(res);
        if (result is error) {
           log:printError(result.reason(), err = result);
        }
    }
}

Since there are no resource-level CORS headers defined here, the global service-level CORS headers are applied to this resource.

# To start the service, navigate to the directory that contains the
# `.bal` file and use the `ballerina run` command.
$ ballerina run http_cors.bal
[ballerina/http] started HTTP/WS listener 0.0.0.0:9092
# Run this curl command to send a CORS simple request. 
$ curl -v "http://localhost:9092/crossOriginService/company" -H "Origin:http://www.bbc.com"
< HTTP/1.1 200 OK
< Content-Type: application/json
< Access-Control-Allow-Origin: http://www.bbc.com
< Access-Control-Allow-Credentials: true
< Content-Length: 21
{"type":"middleware"}
# Run this curl command to send a CORS preflight request. 
$ curl -v "http://localhost:9092/crossOriginService/lang" -X OPTIONS -H "Origin:http://www.m3.com" -H "Access-Control-Request-Method:POST"
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://www.m3.com
< Access-Control-Allow-Methods: POST
< Access-Control-Max-Age: 84900
< Content-Length: 0