DWR Cross Domain How to

DWR is the most popular framework to develop AJAX-style Web Applications in Java. It’s very mature and you can rarely find bugs or unexpected behaviours. I have been performing some tests with DWR in an environment without standard java server-side code (JSPs, JSFs, Servlets and web frameworks like Struts, Webwork…). All the code was static HTML, javascript and DWR dynamically generated javascript. The static content was served by Apache, and DWR code was served by Tomcat. Nothing shocking. But I did not want to use mod_jk or mod_proxy to serve Tomcat through Apache. So I assigned different names to the servers as follows:

  • Apache: static.myexample.com
  • Tomcat: dynamic.myexample.com

Cross domain is always an issue and DWR claims it can manage it, but it’s not easy because there is not enough information about how to do it. Let’s start with the different remoting schemas:

  • XMLHttpRequest: Works in most cases.
  • IFrame: Use it if you don’t have activeX enabled (DWR detects it automatically…)
  • ScriptTag: New in version 2.0, bypass cross-domain restrictions. ScriptTag is a must if you want a cross domain environment, so I will use it.

ScriptTag needs some extra configuration in the web.xml file to relax the security restrictions of the DWR framework:

    <param-name />
    debug</param-name></span>
    <span style="font-size:85%;"> </span><span style=";font-family:Courier New;font-size:85%;"> 
    
    <param-value />
    false</param-value></span>
    <span style="font-size:85%;"> </span><span style=";font-family:Courier New;font-size:85%;"> </span><span style="font-size:85%;"> </span><span style="color: rgb(51, 51, 255);font-size:85%;"><span style="font-family:Courier New;"> <init-param></init-param></span> <span style="font-family:Courier New;"> 
    
    <param-name />
    crossDomainSessionSecurity</param-name></span> 
    <span style="font-family:Courier New;"> 
    
    <param-value />
    false</param-value></span> 
    <span style="font-family:Courier New;"> </span> <span style="font-family:Courier New;"> <init-param></init-param></span> <span style="font-family:Courier New;"> 
    
    <param-name />
    allowGetForSafariButMakeForgeryEasier</param-name></span> 
    <span style="font-family:Courier New;"> 
    
    <param-value />
    true</param-value></span> 
    <span style="font-family:Courier New;"> </span></span><span style="font-size:85%;"> </span><span style=";font-family:Courier New;font-size:85%;"> </span>
  </td>
</tr>


crossDomainSessionSecurity restricts cross domain remote access if true, and allowGetForSafariButMakeForgeryEasier seems to be mandatory when using the remoting ScriptTag schema. As you can read, I’m using Spring as the DWR Servlet, but you can ignore it and use the default DWR Servlet.

And here comes the most painful part of the configuration: how can I pass to the DWR javascript client where is the new remote server? No… there is no method to do this! Digging into the code generated by DWR, there is a javascript variable called:


You must pass here the URL where DWR is listening. In our example:


By default, the remoting schema is XMLHttpRequest, but we need to use the ScriptTag schema. So don’t forget to add the Rpc Type as follows:

So, the code should look like this:

<p>
  <span style="font-family:Courier New;"></span><br /><span style="font-family:Courier New;"></span><br /><span style="font-family:Courier New;"></span></div>