java.lang.Object
com.erudika.para.server.utils.filters.CORSFilter
All Implemented Interfaces:
javax.servlet.Filter

public final class CORSFilter extends Object implements javax.servlet.Filter

A Filter that enable client-side cross-origin requests by implementing W3C's CORS (Cross-Origin Resource Sharing) specification for resources. Each HttpServletRequest request is inspected as per specification, and appropriate response headers are added to HttpServletResponse.

By default, it also sets following request attributes, that helps to determine nature of request downstream.
  • cors.isCorsRequest: Flag to determine if request is a CORS request. Set to true if CORS request; false otherwise.
  • cors.request.origin: The Origin URL.
  • cors.request.type: Type of request. Values: simple or preflight or not_cors or invalid_cors
  • cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
Author:
Mohit Soni
See Also:
  • Field Details

    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
      The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
      The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
      The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
      The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
      The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
      The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.
      See Also:
    • REQUEST_HEADER_ORIGIN

      public static final String REQUEST_HEADER_ORIGIN
      The Origin header indicates where the cross-origin request or preflight request originates from.
      See Also:
    • REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD

      public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
      The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.
      See Also:
    • REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS

      public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
      The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_PREFIX

      public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX
      The prefix to a CORS request attribute.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_ORIGIN

      public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN
      Attribute that contains the origin of the request.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST

      public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
      Boolean value, suggesting if the request is a CORS request or not.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE

      public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
      Type of CORS request, of type CORSFilter.CORSRequestType.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS

      public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
      Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
      See Also:
    • HTTP_METHODS

      public static final Collection<String> HTTP_METHODS
      Collection of HTTP methods. Case sensitive. see http://tools.ietf.org/html/rfc2616#section-5.1.1
    • COMPLEX_HTTP_METHODS

      public static final Collection<String> COMPLEX_HTTP_METHODS
      Collection of non-simple HTTP methods. Case sensitive.
    • SIMPLE_HTTP_METHODS

      public static final Collection<String> SIMPLE_HTTP_METHODS
      Collection of Simple HTTP methods. Case sensitive. see http://www.w3.org/TR/cors/#terminology
    • SIMPLE_HTTP_REQUEST_HEADERS

      public static final Collection<String> SIMPLE_HTTP_REQUEST_HEADERS
      Collection of Simple HTTP request headers. Case in-sensitive. see http://www.w3.org/TR/cors/#terminology
    • SIMPLE_HTTP_RESPONSE_HEADERS

      public static final Collection<String> SIMPLE_HTTP_RESPONSE_HEADERS
      Collection of Simple HTTP request headers. Case in-sensitive. see http://www.w3.org/TR/cors/#terminology
    • SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES

      public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
      Collection of Simple HTTP request headers. Case in-sensitive. see http://www.w3.org/TR/cors/#terminology
    • DEFAULT_ALLOWED_ORIGINS

      public static final String DEFAULT_ALLOWED_ORIGINS
      By default, all origins are allowed to make requests.
      See Also:
    • DEFAULT_ALLOWED_HTTP_METHODS

      public static final String DEFAULT_ALLOWED_HTTP_METHODS
      By default, following methods are supported: GET, POST, HEAD and OPTIONS.
      See Also:
    • DEFAULT_PREFLIGHT_MAXAGE

      public static final String DEFAULT_PREFLIGHT_MAXAGE
      By default, time duration to cache pre-flight response is 30 mins.
      See Also:
    • DEFAULT_SUPPORTS_CREDENTIALS

      public static final String DEFAULT_SUPPORTS_CREDENTIALS
      By default, support credentials is turned on.
      See Also:
    • DEFAULT_ALLOWED_HTTP_HEADERS

      public static final String DEFAULT_ALLOWED_HTTP_HEADERS
      By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.
      See Also:
    • DEFAULT_EXPOSED_HEADERS

      public static final String DEFAULT_EXPOSED_HEADERS
      By default, none of the headers are exposed in response.
      See Also:
    • DEFAULT_LOGGING_ENABLED

      public static final String DEFAULT_LOGGING_ENABLED
      By default, access log logging is turned off.
      See Also:
    • DEFAULT_DECORATE_REQUEST

      public static final String DEFAULT_DECORATE_REQUEST
      By default, request is decorated with CORS attributes.
      See Also:
    • PARAM_CORS_ALLOWED_ORIGINS

      public static final String PARAM_CORS_ALLOWED_ORIGINS
      Key to retrieve allowed origins from FilterConfig.
      See Also:
    • PARAM_CORS_SUPPORT_CREDENTIALS

      public static final String PARAM_CORS_SUPPORT_CREDENTIALS
      Key to retrieve support credentials from FilterConfig.
      See Also:
    • PARAM_CORS_EXPOSED_HEADERS

      public static final String PARAM_CORS_EXPOSED_HEADERS
      Key to retrieve exposed headers from FilterConfig.
      See Also:
    • PARAM_CORS_ALLOWED_HEADERS

      public static final String PARAM_CORS_ALLOWED_HEADERS
      Key to retrieve allowed headers from FilterConfig.
      See Also:
    • PARAM_CORS_ALLOWED_METHODS

      public static final String PARAM_CORS_ALLOWED_METHODS
      Key to retrieve allowed methods from FilterConfig.
      See Also:
    • PARAM_CORS_PREFLIGHT_MAXAGE

      public static final String PARAM_CORS_PREFLIGHT_MAXAGE
      Key to retrieve preflight max age from FilterConfig.
      See Also:
    • PARAM_CORS_LOGGING_ENABLED

      public static final String PARAM_CORS_LOGGING_ENABLED
      Key to retrieve access log logging flag.
      See Also:
    • PARAM_CORS_REQUEST_DECORATE

      public static final String PARAM_CORS_REQUEST_DECORATE
      Key to determine if request should be decorated.
      See Also:
  • Constructor Details

    • CORSFilter

      public CORSFilter()
      No-args constructor.
  • Method Details

    • doFilter

      public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException
    • init

      public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Filter
      Throws:
      javax.servlet.ServletException
    • handleSimpleCORS

      public void handleSimpleCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException
      Handles a CORS request of type CORSFilter.CORSRequestType.SIMPLE.
      Parameters:
      request - The HttpServletRequest object.
      response - The HttpServletResponse object.
      filterChain - The FilterChain object.
      Throws:
      IOException - ex
      javax.servlet.ServletException - ex
      See Also:
    • handlePreflightCORS

      public void handlePreflightCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException
      Handles CORS pre-flight request.
      Parameters:
      request - The HttpServletRequest object.
      response - The HttpServletResponse object.
      filterChain - The FilterChain object.
      Throws:
      IOException - ex
      javax.servlet.ServletException - ex
    • handleNonCORS

      public void handleNonCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException
      Handles a request, that's not a CORS request, but is a valid request i.e. it is not a cross-origin request. This implementation, just forwards the request down the filter chain.
      Parameters:
      request - The HttpServletRequest object.
      response - The HttpServletResponse object.
      filterChain - The FilterChain object.
      Throws:
      IOException - ex
      javax.servlet.ServletException - ex
    • handleInvalidCORS

      public void handleInvalidCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
      Handles a CORS request that violates specification.
      Parameters:
      request - The HttpServletRequest object.
      response - The HttpServletResponse object.
      filterChain - The FilterChain object.
    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter
    • decorateCORSProperties

      public static void decorateCORSProperties(javax.servlet.http.HttpServletRequest request, CORSFilter.CORSRequestType corsRequestType)
      Decorates the HttpServletRequest, with CORS attributes.
      • cors.isCorsRequest: Flag to determine if request is a CORS request. Set to true if CORS request; false otherwise.
      • cors.request.origin: The Origin URL.
      • cors.request.type: Type of request. Values: simple or preflight or not_cors or invalid_cors
      • cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
      Parameters:
      request - The HttpServletRequest object.
      corsRequestType - The CORSFilter.CORSRequestType object.
    • join

      public static String join(Collection<String> elements, String joinSeparator)
      Joins elements of Set into a string, where each element is separated by the provided separator.
      Parameters:
      elements - The Set containing elements to join together.
      joinSeparator - The character to be used for separating elements.
      Returns:
      The joined String; null if elements Set is null.
    • checkRequestType

      public CORSFilter.CORSRequestType checkRequestType(javax.servlet.http.HttpServletRequest request)
      Determines the request type.
      Parameters:
      request - req
      Returns:
      CORS request type
    • isValidOrigin

      public static boolean isValidOrigin(String origin)
      Checks if a given origin is valid or not. Criteria:
      • If an encoded character is present in origin, it's not valid.
      • Origin should be a valid URI
      Parameters:
      origin - origin
      Returns:
      boolean
      See Also:
    • isLoggingEnabled

      public boolean isLoggingEnabled()
      Determines if logging is enabled or not.
      Returns:
      true if it's enabled; false otherwise.
    • isAnyOriginAllowed

      public boolean isAnyOriginAllowed()
      Determines if any origin is allowed to make CORS request.
      Returns:
      true if it's enabled; false otherwise.
    • getExposedHeaders

      public Collection<String> getExposedHeaders()
      Returns a Set of headers that should be exposed by browser.
      Returns:
      list
    • isSupportsCredentials

      public boolean isSupportsCredentials()
      Determines is supports credentials is enabled.
      Returns:
      boolean
    • getPreflightMaxAge

      public long getPreflightMaxAge()
      Returns the preflight response cache time in seconds.
      Returns:
      Time to cache in seconds.
    • getAllowedOrigins

      public Collection<String> getAllowedOrigins()
      Returns the Set of allowed origins that are allowed to make requests.
      Returns:
      Set
    • getAllowedHttpMethods

      public Collection<String> getAllowedHttpMethods()
      Returns a Set of HTTP methods that are allowed to make requests.
      Returns:
      Set
    • getAllowedHttpHeaders

      public Collection<String> getAllowedHttpHeaders()
      Returns a Set of headers support by resource.
      Returns:
      Set