Class CrossOriginFilter

java.lang.Object
org.eclipse.jetty.servlets.CrossOriginFilter
All Implemented Interfaces:
javax.servlet.Filter
public class CrossOriginFilter extends Object implements javax.servlet.Filter
Implementation of the cross-origin resource sharing.

A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

This filter allows the following configuration parameters:

allowedOrigins
a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. Note that using wild cards can result in security problems for requests identifying hosts that do not exist.

If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

allowedTimingOrigins
a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

allowedMethods
a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
allowedHeaders
a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
preflightMaxAge
the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
allowCredentials
a boolean indicating if the resource allows requests with credentials. Default value is true
exposedHeaders
a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
chainPreflight
if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
A typical configuration could be: 
<web-app ...>
    ...
    <filter>
        <filter-name>cross-origin</filter-name>
        <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/cometd/*</url-pattern>
    </filter-mapping>
    ...
</web-app>

  • Field Details

    • LOG

      private static final Logger LOG

    • ORIGIN_HEADER

      private static final String ORIGIN_HEADER
      See Also:

    • ACCESS_CONTROL_REQUEST_METHOD_HEADER

      public static final String ACCESS_CONTROL_REQUEST_METHOD_HEADER
      See Also:

    • ACCESS_CONTROL_REQUEST_HEADERS_HEADER

      public static final String ACCESS_CONTROL_REQUEST_HEADERS_HEADER
      See Also:

    • ACCESS_CONTROL_ALLOW_ORIGIN_HEADER

      public static final String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER
      See Also:

    • ACCESS_CONTROL_ALLOW_METHODS_HEADER

      public static final String ACCESS_CONTROL_ALLOW_METHODS_HEADER
      See Also:

    • ACCESS_CONTROL_ALLOW_HEADERS_HEADER

      public static final String ACCESS_CONTROL_ALLOW_HEADERS_HEADER
      See Also:

    • ACCESS_CONTROL_MAX_AGE_HEADER

      public static final String ACCESS_CONTROL_MAX_AGE_HEADER
      See Also:

    • ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER

      public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER
      See Also:

    • ACCESS_CONTROL_EXPOSE_HEADERS_HEADER

      public static final String ACCESS_CONTROL_EXPOSE_HEADERS_HEADER
      See Also:

    • TIMING_ALLOW_ORIGIN_HEADER

      public static final String TIMING_ALLOW_ORIGIN_HEADER
      See Also:

    • ALLOWED_ORIGINS_PARAM

      public static final String ALLOWED_ORIGINS_PARAM
      See Also:

    • ALLOWED_TIMING_ORIGINS_PARAM

      public static final String ALLOWED_TIMING_ORIGINS_PARAM
      See Also:

    • ALLOWED_METHODS_PARAM

      public static final String ALLOWED_METHODS_PARAM
      See Also:

    • ALLOWED_HEADERS_PARAM

      public static final String ALLOWED_HEADERS_PARAM
      See Also:

    • PREFLIGHT_MAX_AGE_PARAM

      public static final String PREFLIGHT_MAX_AGE_PARAM
      See Also:

    • ALLOW_CREDENTIALS_PARAM

      public static final String ALLOW_CREDENTIALS_PARAM
      See Also:

    • EXPOSED_HEADERS_PARAM

      public static final String EXPOSED_HEADERS_PARAM
      See Also:

    • OLD_CHAIN_PREFLIGHT_PARAM

      public static final String OLD_CHAIN_PREFLIGHT_PARAM
      See Also:

    • CHAIN_PREFLIGHT_PARAM

      public static final String CHAIN_PREFLIGHT_PARAM
      See Also:

    • ANY_ORIGIN

      private static final String ANY_ORIGIN
      See Also:

    • DEFAULT_ALLOWED_ORIGINS

      private static final String DEFAULT_ALLOWED_ORIGINS
      See Also:

    • DEFAULT_ALLOWED_TIMING_ORIGINS

      private static final String DEFAULT_ALLOWED_TIMING_ORIGINS
      See Also:

    • SIMPLE_HTTP_METHODS

      private static final List<String> SIMPLE_HTTP_METHODS

    • DEFAULT_ALLOWED_METHODS

      private static final List<String> DEFAULT_ALLOWED_METHODS

    • DEFAULT_ALLOWED_HEADERS

      private static final List<String> DEFAULT_ALLOWED_HEADERS

    • anyOriginAllowed

      private boolean anyOriginAllowed

    • anyTimingOriginAllowed

      private boolean anyTimingOriginAllowed

    • anyHeadersAllowed

      private boolean anyHeadersAllowed

    • allowedOrigins

      private Set<String> allowedOrigins

    • allowedOriginPatterns

      private List<Pattern> allowedOriginPatterns

    • allowedTimingOrigins

      private Set<String> allowedTimingOrigins

    • allowedTimingOriginPatterns

      private List<Pattern> allowedTimingOriginPatterns

    • allowedMethods

      private List<String> allowedMethods

    • allowedHeaders

      private List<String> allowedHeaders

    • exposedHeaders

      private List<String> exposedHeaders

    • preflightMaxAge

      private int preflightMaxAge

    • allowCredentials

      private boolean allowCredentials

    • chainPreflight

      private boolean chainPreflight

  • Constructor Details

    • CrossOriginFilter

      public CrossOriginFilter()

  • Method Details

    • init

      public void init(javax.servlet.FilterConfig config) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Filter
      Throws:
      javax.servlet.ServletException

    • generateAllowedOrigins

      private boolean generateAllowedOrigins(Set<String> allowedOriginStore, List<Pattern> allowedOriginPatternStore, String allowedOriginsConfig, String defaultOrigin)

    • doFilter

      public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException

    • handle

      private void handle(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Throws:
      IOException
      javax.servlet.ServletException

    • isEnabled

      protected boolean isEnabled(javax.servlet.http.HttpServletRequest request)

    • originMatches

      private boolean originMatches(Set<String> allowedOrigins, List<Pattern> allowedOriginPatterns, String originList)

    • parseAllowedWildcardOriginToRegex

      private String parseAllowedWildcardOriginToRegex(String allowedOrigin)

    • isSimpleRequest

      private boolean isSimpleRequest(javax.servlet.http.HttpServletRequest request)

    • isPreflightRequest

      private boolean isPreflightRequest(javax.servlet.http.HttpServletRequest request)

    • handleSimpleResponse

      private void handleSimpleResponse(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String origin)

    • handlePreflightResponse

      private void handlePreflightResponse(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String origin)

    • isMethodAllowed

      private boolean isMethodAllowed(javax.servlet.http.HttpServletRequest request)

    • getAccessControlRequestHeaders

      private List<String> getAccessControlRequestHeaders(javax.servlet.http.HttpServletRequest request)

    • areHeadersAllowed

      private boolean areHeadersAllowed(List<String> requestedHeaders)

    • commify

      private String commify(List<String> strings)

    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter