Class CrossOriginFilter

java.lang.Object
org.eclipse.jetty.ee11.servlets.CrossOriginFilter
All Implemented Interfaces:
jakarta.servlet.Filter
@Deprecated(since="12.0.6", forRemoval=true) public class CrossOriginFilter extends Object implements jakarta.servlet.Filter
Deprecated, for removal: This API element is subject to removal in a future version.
Use CrossOriginHandler instead
Implementation of the cross-origin resource sharing.

A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

This filter allows the following configuration parameters:

allowedOrigins
a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. Note that using wild cards can result in security problems for requests identifying hosts that do not exist.

If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

allowedTimingOrigins
a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

allowedMethods
a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
allowedHeaders
a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
preflightMaxAge
the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
allowCredentials
a boolean indicating if the resource allows requests with credentials. Default value is true
exposedHeaders
a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
chainPreflight
if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
A typical configuration could be: 
<web-app ...>
    ...
    <filter>
        <filter-name>cross-origin</filter-name>
        <filter-class>org.eclipse.jetty.ee11.servlets.CrossOriginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/cometd/*</url-pattern>
    </filter-mapping>
    ...
</web-app>

  • Field Details

    • ACCESS_CONTROL_REQUEST_METHOD_HEADER

      public static final String ACCESS_CONTROL_REQUEST_METHOD_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_REQUEST_HEADERS_HEADER

      public static final String ACCESS_CONTROL_REQUEST_HEADERS_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_ALLOW_ORIGIN_HEADER

      public static final String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_ALLOW_METHODS_HEADER

      public static final String ACCESS_CONTROL_ALLOW_METHODS_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_ALLOW_HEADERS_HEADER

      public static final String ACCESS_CONTROL_ALLOW_HEADERS_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_MAX_AGE_HEADER

      public static final String ACCESS_CONTROL_MAX_AGE_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER

      public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ACCESS_CONTROL_EXPOSE_HEADERS_HEADER

      public static final String ACCESS_CONTROL_EXPOSE_HEADERS_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • TIMING_ALLOW_ORIGIN_HEADER

      public static final String TIMING_ALLOW_ORIGIN_HEADER
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ALLOWED_ORIGINS_PARAM

      public static final String ALLOWED_ORIGINS_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ALLOWED_TIMING_ORIGINS_PARAM

      public static final String ALLOWED_TIMING_ORIGINS_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ALLOWED_METHODS_PARAM

      public static final String ALLOWED_METHODS_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ALLOWED_HEADERS_PARAM

      public static final String ALLOWED_HEADERS_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • PREFLIGHT_MAX_AGE_PARAM

      public static final String PREFLIGHT_MAX_AGE_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • ALLOW_CREDENTIALS_PARAM

      public static final String ALLOW_CREDENTIALS_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • EXPOSED_HEADERS_PARAM

      public static final String EXPOSED_HEADERS_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • OLD_CHAIN_PREFLIGHT_PARAM

      public static final String OLD_CHAIN_PREFLIGHT_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

    • CHAIN_PREFLIGHT_PARAM

      public static final String CHAIN_PREFLIGHT_PARAM
      Deprecated, for removal: This API element is subject to removal in a future version.
      See Also:

  • Constructor Details

    • CrossOriginFilter

      public CrossOriginFilter()
      Deprecated, for removal: This API element is subject to removal in a future version.

  • Method Details

    • init

      public void init(jakarta.servlet.FilterConfig config) throws jakarta.servlet.ServletException
      Deprecated, for removal: This API element is subject to removal in a future version.
      Specified by:
      init in interface jakarta.servlet.Filter
      Throws:
      jakarta.servlet.ServletException

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest request, jakarta.servlet.ServletResponse response, jakarta.servlet.FilterChain chain) throws IOException, jakarta.servlet.ServletException
      Deprecated, for removal: This API element is subject to removal in a future version.
      Specified by:
      doFilter in interface jakarta.servlet.Filter
      Throws:
      IOException
      jakarta.servlet.ServletException

    • isEnabled

      protected boolean isEnabled(jakarta.servlet.http.HttpServletRequest request)
      Deprecated, for removal: This API element is subject to removal in a future version.

    • destroy

      public void destroy()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Specified by:
      destroy in interface jakarta.servlet.Filter