java.lang.Object
com.erudika.para.server.utils.filters.CORSFilter
- All Implemented Interfaces:
javax.servlet.Filter
A Filter
that enable client-side cross-origin requests by implementing W3C's CORS (Cross-Origin
Resource
Sharing) specification for resources. Each HttpServletRequest
request is inspected as per
specification, and appropriate response headers are added to HttpServletResponse
.
- cors.isCorsRequest: Flag to determine if request is a CORS request. Set to
true
if CORS request;false
otherwise. - cors.request.origin: The Origin URL.
- cors.request.type: Type of request. Values:
simple
orpreflight
ornot_cors
orinvalid_cors
- cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
- Author:
- Mohit Soni
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
Enumerates varies types of CORS requests. -
Field Summary
Modifier and TypeFieldDescriptionstatic final Collection
<String> Collection
of non-simple HTTP methods.static final String
By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.static final String
By default, following methods are supported: GET, POST, HEAD and OPTIONS.static final String
By default, all origins are allowed to make requests.static final String
By default, request is decorated with CORS attributes.static final String
By default, none of the headers are exposed in response.static final String
By default, access log logging is turned off.static final String
By default, time duration to cache pre-flight response is 30 mins.static final String
By default, support credentials is turned on.static final Collection
<String> Collection
of HTTP methods.static final String
Boolean value, suggesting if the request is a CORS request or not.static final String
Attribute that contains the origin of the request.static final String
The prefix to a CORS request attribute.static final String
Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.static final String
Type of CORS request, of typeCORSFilter.CORSRequestType
.static final String
Key to retrieve allowed headers fromFilterConfig
.static final String
Key to retrieve allowed methods fromFilterConfig
.static final String
Key to retrieve allowed origins fromFilterConfig
.static final String
Key to retrieve exposed headers fromFilterConfig
.static final String
Key to retrieve access log logging flag.static final String
Key to retrieve preflight max age fromFilterConfig
.static final String
Key to determine if request should be decorated.static final String
Key to retrieve support credentials fromFilterConfig
.static final String
The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.static final String
The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.static final String
The Origin header indicates where the cross-origin request or preflight request originates from.static final String
The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset.static final String
The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.static final String
The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.static final String
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.static final String
The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification.static final String
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.static final Collection
<String> Collection
of Simple HTTP methods.static final Collection
<String> Collection
of Simple HTTP request headers.static final Collection
<String> Collection
of Simple HTTP request headers.static final Collection
<String> Collection
of Simple HTTP request headers. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptioncheckRequestType
(javax.servlet.http.HttpServletRequest request) Determines the request type.static void
decorateCORSProperties
(javax.servlet.http.HttpServletRequest request, CORSFilter.CORSRequestType corsRequestType) Decorates theHttpServletRequest
, with CORS attributes.void
destroy()
void
doFilter
(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) Returns aSet
of headers support by resource.Returns aSet
of HTTP methods that are allowed to make requests.Returns theSet
of allowed origins that are allowed to make requests.Returns aSet
of headers that should be exposed by browser.long
Returns the preflight response cache time in seconds.void
handleInvalidCORS
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles a CORS request that violates specification.void
handleNonCORS
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles a request, that's not a CORS request, but is a valid request i.e.void
handlePreflightCORS
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles CORS pre-flight request.void
handleSimpleCORS
(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles a CORS request of typeCORSFilter.CORSRequestType
.SIMPLE.void
init
(javax.servlet.FilterConfig filterConfig) boolean
Determines if any origin is allowed to make CORS request.boolean
Determines if logging is enabled or not.boolean
Determines is supports credentials is enabled.static boolean
isValidOrigin
(String origin) Checks if a given origin is valid or not.static String
join
(Collection<String> elements, String joinSeparator) Joins elements ofSet
into a string, where each element is separated by the provided separator.
-
Field Details
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.- See Also:
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.- See Also:
-
RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification.- See Also:
-
RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.- See Also:
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.- See Also:
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.- See Also:
-
REQUEST_HEADER_ORIGIN
The Origin header indicates where the cross-origin request or preflight request originates from.- See Also:
-
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.- See Also:
-
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.- See Also:
-
HTTP_REQUEST_ATTRIBUTE_PREFIX
The prefix to a CORS request attribute.- See Also:
-
HTTP_REQUEST_ATTRIBUTE_ORIGIN
Attribute that contains the origin of the request.- See Also:
-
HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
Boolean value, suggesting if the request is a CORS request or not.- See Also:
-
HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
Type of CORS request, of typeCORSFilter.CORSRequestType
.- See Also:
-
HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.- See Also:
-
HTTP_METHODS
Collection
of HTTP methods. Case sensitive. see http://tools.ietf.org/html/rfc2616#section-5.1.1 -
COMPLEX_HTTP_METHODS
Collection
of non-simple HTTP methods. Case sensitive. -
SIMPLE_HTTP_METHODS
Collection
of Simple HTTP methods. Case sensitive. see http://www.w3.org/TR/cors/#terminology -
SIMPLE_HTTP_REQUEST_HEADERS
Collection
of Simple HTTP request headers. Case in-sensitive. see http://www.w3.org/TR/cors/#terminology -
SIMPLE_HTTP_RESPONSE_HEADERS
Collection
of Simple HTTP request headers. Case in-sensitive. see http://www.w3.org/TR/cors/#terminology -
SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
Collection
of Simple HTTP request headers. Case in-sensitive. see http://www.w3.org/TR/cors/#terminology -
DEFAULT_ALLOWED_ORIGINS
By default, all origins are allowed to make requests.- See Also:
-
DEFAULT_ALLOWED_HTTP_METHODS
By default, following methods are supported: GET, POST, HEAD and OPTIONS.- See Also:
-
DEFAULT_PREFLIGHT_MAXAGE
By default, time duration to cache pre-flight response is 30 mins.- See Also:
-
DEFAULT_SUPPORTS_CREDENTIALS
By default, support credentials is turned on.- See Also:
-
DEFAULT_ALLOWED_HTTP_HEADERS
By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.- See Also:
-
DEFAULT_EXPOSED_HEADERS
By default, none of the headers are exposed in response.- See Also:
-
DEFAULT_LOGGING_ENABLED
By default, access log logging is turned off.- See Also:
-
DEFAULT_DECORATE_REQUEST
By default, request is decorated with CORS attributes.- See Also:
-
PARAM_CORS_ALLOWED_ORIGINS
Key to retrieve allowed origins fromFilterConfig
.- See Also:
-
PARAM_CORS_SUPPORT_CREDENTIALS
Key to retrieve support credentials fromFilterConfig
.- See Also:
-
PARAM_CORS_EXPOSED_HEADERS
Key to retrieve exposed headers fromFilterConfig
.- See Also:
-
PARAM_CORS_ALLOWED_HEADERS
Key to retrieve allowed headers fromFilterConfig
.- See Also:
-
PARAM_CORS_ALLOWED_METHODS
Key to retrieve allowed methods fromFilterConfig
.- See Also:
-
PARAM_CORS_PREFLIGHT_MAXAGE
Key to retrieve preflight max age fromFilterConfig
.- See Also:
-
PARAM_CORS_LOGGING_ENABLED
Key to retrieve access log logging flag.- See Also:
-
PARAM_CORS_REQUEST_DECORATE
Key to determine if request should be decorated.- See Also:
-
-
Constructor Details
-
CORSFilter
public CORSFilter()No-args constructor.
-
-
Method Details
-
doFilter
public void doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException - Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
-
init
public void init(javax.servlet.FilterConfig filterConfig) throws javax.servlet.ServletException - Specified by:
init
in interfacejavax.servlet.Filter
- Throws:
javax.servlet.ServletException
-
handleSimpleCORS
public void handleSimpleCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException Handles a CORS request of typeCORSFilter.CORSRequestType
.SIMPLE.- Parameters:
request
- TheHttpServletRequest
object.response
- TheHttpServletResponse
object.filterChain
- TheFilterChain
object.- Throws:
IOException
- exjavax.servlet.ServletException
- ex- See Also:
-
handlePreflightCORS
public void handlePreflightCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException Handles CORS pre-flight request.- Parameters:
request
- TheHttpServletRequest
object.response
- TheHttpServletResponse
object.filterChain
- TheFilterChain
object.- Throws:
IOException
- exjavax.servlet.ServletException
- ex
-
handleNonCORS
public void handleNonCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws IOException, javax.servlet.ServletException Handles a request, that's not a CORS request, but is a valid request i.e. it is not a cross-origin request. This implementation, just forwards the request down the filter chain.- Parameters:
request
- TheHttpServletRequest
object.response
- TheHttpServletResponse
object.filterChain
- TheFilterChain
object.- Throws:
IOException
- exjavax.servlet.ServletException
- ex
-
handleInvalidCORS
public void handleInvalidCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles a CORS request that violates specification.- Parameters:
request
- TheHttpServletRequest
object.response
- TheHttpServletResponse
object.filterChain
- TheFilterChain
object.
-
destroy
public void destroy()- Specified by:
destroy
in interfacejavax.servlet.Filter
-
decorateCORSProperties
public static void decorateCORSProperties(javax.servlet.http.HttpServletRequest request, CORSFilter.CORSRequestType corsRequestType) Decorates theHttpServletRequest
, with CORS attributes.- cors.isCorsRequest: Flag to determine if request is a CORS request. Set to
true
if CORS request;false
otherwise. - cors.request.origin: The Origin URL.
- cors.request.type: Type of request. Values:
simple
orpreflight
ornot_cors
orinvalid_cors
- cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
- Parameters:
request
- TheHttpServletRequest
object.corsRequestType
- TheCORSFilter.CORSRequestType
object.
- cors.isCorsRequest: Flag to determine if request is a CORS request. Set to
-
join
Joins elements ofSet
into a string, where each element is separated by the provided separator. -
checkRequestType
Determines the request type.- Parameters:
request
- req- Returns:
- CORS request type
-
isValidOrigin
Checks if a given origin is valid or not. Criteria:- If an encoded character is present in origin, it's not valid.
- Origin should be a valid
URI
- Parameters:
origin
- origin- Returns:
- boolean
- See Also:
-
isLoggingEnabled
public boolean isLoggingEnabled()Determines if logging is enabled or not.- Returns:
true
if it's enabled; false otherwise.
-
isAnyOriginAllowed
public boolean isAnyOriginAllowed()Determines if any origin is allowed to make CORS request.- Returns:
true
if it's enabled; false otherwise.
-
getExposedHeaders
Returns aSet
of headers that should be exposed by browser.- Returns:
- list
-
isSupportsCredentials
public boolean isSupportsCredentials()Determines is supports credentials is enabled.- Returns:
- boolean
-
getPreflightMaxAge
public long getPreflightMaxAge()Returns the preflight response cache time in seconds.- Returns:
- Time to cache in seconds.
-
getAllowedOrigins
Returns theSet
of allowed origins that are allowed to make requests.- Returns:
Set
-
getAllowedHttpMethods
Returns aSet
of HTTP methods that are allowed to make requests.- Returns:
Set
-
getAllowedHttpHeaders
Returns aSet
of headers support by resource.- Returns:
Set
-