public final class CORSFilter
extends java.lang.Object
implements javax.servlet.Filter
A Filter
that enable client-side cross-origin requests by
implementing W3C's CORS (Cross-Origin Resource
Sharing) specification for resources. Each HttpServletRequest
request is inspected as per specification, and appropriate response headers
are added to HttpServletResponse
.
By default, it also sets following request attributes, that helps to determine nature of request downstream.
true
if CORS request; false
otherwise.simple
or
preflight
or not_cors
or invalid_cors
Modifier and Type | Class and Description |
---|---|
static class |
CORSFilter.CORSRequestType
Enumerates varies types of CORS requests.
|
Modifier and Type | Field and Description |
---|---|
static java.util.Collection<java.lang.String> |
COMPLEX_HTTP_METHODS
Collection of non-simple HTTP methods. |
static java.lang.String |
DEFAULT_ALLOWED_HTTP_HEADERS
By default, following headers are supported:
Origin,Accept,X-Requested-With, Content-Type,
Access-Control-Request-Method, and Access-Control-Request-Headers.
|
static java.lang.String |
DEFAULT_ALLOWED_HTTP_METHODS
By default, following methods are supported: GET, POST, HEAD and OPTIONS.
|
static java.lang.String |
DEFAULT_ALLOWED_ORIGINS
By default, all origins are allowed to make requests.
|
static java.lang.String |
DEFAULT_DECORATE_REQUEST
By default, request is decorated with CORS attributes.
|
static java.lang.String |
DEFAULT_EXPOSED_HEADERS
By default, none of the headers are exposed in response.
|
static java.lang.String |
DEFAULT_LOGGING_ENABLED
By default, access log logging is turned off
|
static java.lang.String |
DEFAULT_PREFLIGHT_MAXAGE
By default, time duration to cache pre-flight response is 30 mins.
|
static java.lang.String |
DEFAULT_SUPPORTS_CREDENTIALS
By default, support credentials is turned on.
|
static java.util.Collection<java.lang.String> |
HTTP_METHODS
Collection of HTTP methods. |
static java.lang.String |
HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
Boolean value, suggesting if the request is a CORS request or not.
|
static java.lang.String |
HTTP_REQUEST_ATTRIBUTE_ORIGIN
Attribute that contains the origin of the request.
|
static java.lang.String |
HTTP_REQUEST_ATTRIBUTE_PREFIX
The prefix to a CORS request attribute.
|
static java.lang.String |
HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
Request headers sent as 'Access-Control-Request-Headers' header, for
pre-flight request.
|
static java.lang.String |
HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
Type of CORS request, of type
CORSFilter.CORSRequestType . |
static java.lang.String |
PARAM_CORS_ALLOWED_HEADERS
Key to retrieve allowed headers from
FilterConfig . |
static java.lang.String |
PARAM_CORS_ALLOWED_METHODS
Key to retrieve allowed methods from
FilterConfig . |
static java.lang.String |
PARAM_CORS_ALLOWED_ORIGINS
Key to retrieve allowed origins from
FilterConfig . |
static java.lang.String |
PARAM_CORS_EXPOSED_HEADERS
Key to retrieve exposed headers from
FilterConfig . |
static java.lang.String |
PARAM_CORS_LOGGING_ENABLED
Key to retrieve access log logging flag.
|
static java.lang.String |
PARAM_CORS_PREFLIGHT_MAXAGE
Key to retrieve preflight max age from
FilterConfig . |
static java.lang.String |
PARAM_CORS_REQUEST_DECORATE
Key to determine if request should be decorated.
|
static java.lang.String |
PARAM_CORS_SUPPORT_CREDENTIALS
Key to retrieve support credentials from
FilterConfig . |
static java.lang.String |
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
The Access-Control-Request-Headers header indicates which headers will be
used in the actual request as part of the preflight request.
|
static java.lang.String |
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
The Access-Control-Request-Method header indicates which method will be
used in the actual request as part of the preflight request.
|
static java.lang.String |
REQUEST_HEADER_ORIGIN
The Origin header indicates where the cross-origin request or preflight
request originates from.
|
static java.lang.String |
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
The Access-Control-Allow-Credentials header indicates whether the
response to request can be exposed when the omit credentials flag is
unset.
|
static java.lang.String |
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
The Access-Control-Allow-Headers header indicates, as part of the
response to a preflight request, which header field names can be used
during the actual request.
|
static java.lang.String |
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
The Access-Control-Allow-Methods header indicates, as part of the
response to a preflight request, which methods can be used during the
actual request.
|
static java.lang.String |
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
The Access-Control-Allow-Origin header indicates whether a resource can
be shared based by returning the value of the Origin request header in
the response.
|
static java.lang.String |
RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
The Access-Control-Expose-Headers header indicates which headers are safe
to expose to the API of a CORS API specification
|
static java.lang.String |
RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
The Access-Control-Max-Age header indicates how long the results of a
preflight request can be cached in a preflight result cache.
|
static java.util.Collection<java.lang.String> |
SIMPLE_HTTP_METHODS
Collection of Simple HTTP methods. |
static java.util.Collection<java.lang.String> |
SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
Collection of Simple HTTP request headers. |
static java.util.Collection<java.lang.String> |
SIMPLE_HTTP_REQUEST_HEADERS
Collection of Simple HTTP request headers. |
static java.util.Collection<java.lang.String> |
SIMPLE_HTTP_RESPONSE_HEADERS
Collection of Simple HTTP request headers. |
Constructor and Description |
---|
CORSFilter() |
Modifier and Type | Method and Description |
---|---|
CORSFilter.CORSRequestType |
checkRequestType(javax.servlet.http.HttpServletRequest request)
Determines the request type.
|
static void |
decorateCORSProperties(javax.servlet.http.HttpServletRequest request,
CORSFilter.CORSRequestType corsRequestType)
Decorates the
HttpServletRequest , with CORS attributes. |
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain filterChain) |
java.util.Collection<java.lang.String> |
getAllowedHttpHeaders()
Returns a
Set of headers support by resource. |
java.util.Collection<java.lang.String> |
getAllowedHttpMethods()
Returns a
Set of HTTP methods that are allowed to make requests. |
java.util.Collection<java.lang.String> |
getAllowedOrigins()
Returns the
Set of allowed origins that are allowed to make
requests. |
java.util.Collection<java.lang.String> |
getExposedHeaders()
Returns a
Set of headers that should be exposed by browser. |
long |
getPreflightMaxAge()
Returns the preflight response cache time in seconds.
|
void |
handleInvalidCORS(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
Handles a CORS request that violates specification.
|
void |
handleNonCORS(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
Handles a request, that's not a CORS request, but is a valid request i.e.
|
void |
handlePreflightCORS(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
Handles CORS pre-flight request.
|
void |
handleSimpleCORS(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
Handles a CORS request of type
CORSFilter.CORSRequestType .SIMPLE. |
void |
init(javax.servlet.FilterConfig filterConfig) |
boolean |
isAnyOriginAllowed()
Determines if any origin is allowed to make CORS request.
|
boolean |
isLoggingEnabled()
Determines if logging is enabled or not.
|
boolean |
isSupportsCredentials()
Determines is supports credentials is enabled
|
static boolean |
isValidOrigin(java.lang.String origin)
Checks if a given origin is valid or not.
|
static java.lang.String |
join(java.util.Collection<java.lang.String> elements,
java.lang.String joinSeparator)
Joins elements of
Set into a string, where each element is
separated by the provided separator. |
public static final java.lang.String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
public static final java.lang.String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
public static final java.lang.String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
public static final java.lang.String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
public static final java.lang.String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
public static final java.lang.String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
public static final java.lang.String REQUEST_HEADER_ORIGIN
public static final java.lang.String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
public static final java.lang.String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
public static final java.lang.String HTTP_REQUEST_ATTRIBUTE_PREFIX
public static final java.lang.String HTTP_REQUEST_ATTRIBUTE_ORIGIN
public static final java.lang.String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
public static final java.lang.String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
CORSFilter.CORSRequestType
.public static final java.lang.String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
public static final java.util.Collection<java.lang.String> HTTP_METHODS
Collection
of HTTP methods. Case sensitive.http://tools.ietf.org/html/rfc2616#section-5.1.1
public static final java.util.Collection<java.lang.String> COMPLEX_HTTP_METHODS
Collection
of non-simple HTTP methods. Case sensitive.public static final java.util.Collection<java.lang.String> SIMPLE_HTTP_METHODS
Collection
of Simple HTTP methods. Case sensitive.http://www.w3.org/TR/cors/#terminology
public static final java.util.Collection<java.lang.String> SIMPLE_HTTP_REQUEST_HEADERS
Collection
of Simple HTTP request headers. Case in-sensitive.http://www.w3.org/TR/cors/#terminology
public static final java.util.Collection<java.lang.String> SIMPLE_HTTP_RESPONSE_HEADERS
Collection
of Simple HTTP request headers. Case in-sensitive.http://www.w3.org/TR/cors/#terminology
public static final java.util.Collection<java.lang.String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
Collection
of Simple HTTP request headers. Case in-sensitive.http://www.w3.org/TR/cors/#terminology
public static final java.lang.String DEFAULT_ALLOWED_ORIGINS
public static final java.lang.String DEFAULT_ALLOWED_HTTP_METHODS
public static final java.lang.String DEFAULT_PREFLIGHT_MAXAGE
public static final java.lang.String DEFAULT_SUPPORTS_CREDENTIALS
public static final java.lang.String DEFAULT_ALLOWED_HTTP_HEADERS
public static final java.lang.String DEFAULT_EXPOSED_HEADERS
public static final java.lang.String DEFAULT_LOGGING_ENABLED
public static final java.lang.String DEFAULT_DECORATE_REQUEST
public static final java.lang.String PARAM_CORS_ALLOWED_ORIGINS
FilterConfig
.public static final java.lang.String PARAM_CORS_SUPPORT_CREDENTIALS
FilterConfig
.public static final java.lang.String PARAM_CORS_EXPOSED_HEADERS
FilterConfig
.public static final java.lang.String PARAM_CORS_ALLOWED_HEADERS
FilterConfig
.public static final java.lang.String PARAM_CORS_ALLOWED_METHODS
FilterConfig
.public static final java.lang.String PARAM_CORS_PREFLIGHT_MAXAGE
FilterConfig
.public static final java.lang.String PARAM_CORS_LOGGING_ENABLED
public static final java.lang.String PARAM_CORS_REQUEST_DECORATE
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws java.io.IOException, javax.servlet.ServletException
doFilter
in interface javax.servlet.Filter
java.io.IOException
javax.servlet.ServletException
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
init
in interface javax.servlet.Filter
javax.servlet.ServletException
public void handleSimpleCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws java.io.IOException, javax.servlet.ServletException
CORSFilter.CORSRequestType
.SIMPLE.request
- The HttpServletRequest
object.response
- The HttpServletResponse
object.filterChain
- The FilterChain
object.java.io.IOException
javax.servlet.ServletException
public void handlePreflightCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws java.io.IOException, javax.servlet.ServletException
request
- The HttpServletRequest
object.response
- The HttpServletResponse
object.filterChain
- The FilterChain
object.java.io.IOException
javax.servlet.ServletException
public void handleNonCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws java.io.IOException, javax.servlet.ServletException
request
- The HttpServletRequest
object.response
- The HttpServletResponse
object.filterChain
- The FilterChain
object.java.io.IOException
javax.servlet.ServletException
public void handleInvalidCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
request
- The HttpServletRequest
object.response
- The HttpServletResponse
object.filterChain
- The FilterChain
object.java.io.IOException
javax.servlet.ServletException
public void destroy()
destroy
in interface javax.servlet.Filter
public static void decorateCORSProperties(javax.servlet.http.HttpServletRequest request, CORSFilter.CORSRequestType corsRequestType)
HttpServletRequest
, with CORS attributes.
true
if CORS request; false
otherwise.simple
or preflight
or not_cors
or
invalid_cors
request
- The HttpServletRequest
object.corsRequestType
- The CORSFilter.CORSRequestType
object.public static java.lang.String join(java.util.Collection<java.lang.String> elements, java.lang.String joinSeparator)
Set
into a string, where each element is
separated by the provided separator.elements
- The Set
containing elements to join together.joinSeparator
- The character to be used for separating elements.String
; null
if elements
Set
is null.public CORSFilter.CORSRequestType checkRequestType(javax.servlet.http.HttpServletRequest request)
request
- public static boolean isValidOrigin(java.lang.String origin)
URI
origin
- public boolean isLoggingEnabled()
true
if it's enabled; false otherwise.public boolean isAnyOriginAllowed()
true
if it's enabled; false otherwise.public java.util.Collection<java.lang.String> getExposedHeaders()
Set
of headers that should be exposed by browser.public boolean isSupportsCredentials()
public long getPreflightMaxAge()
public java.util.Collection<java.lang.String> getAllowedOrigins()
Set
of allowed origins that are allowed to make
requests.Set
public java.util.Collection<java.lang.String> getAllowedHttpMethods()
Set
of HTTP methods that are allowed to make requests.Set
public java.util.Collection<java.lang.String> getAllowedHttpHeaders()
Set
of headers support by resource.Set