Package org.eclipse.jetty.ee8.servlets

Class CrossOriginFilter

java.lang.Object
org.eclipse.jetty.ee8.servlets.CrossOriginFilter
All Implemented Interfaces:
javax.servlet.Filter
public class CrossOriginFilter extends Object implements javax.servlet.Filter
Implementation of the cross-origin resource sharing.

A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

This filter allows the following configuration parameters:

allowedOrigins
a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. Note that using wild cards can result in security problems for requests identifying hosts that do not exist.

If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

allowedTimingOrigins
a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

allowedMethods
a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
allowedHeaders
a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
preflightMaxAge
the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
allowCredentials
a boolean indicating if the resource allows requests with credentials. Default value is true
exposedHeaders
a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
chainPreflight
if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
A typical configuration could be: 
 <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.ee8.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>

  • Field Details

  • Constructor Details

    • CrossOriginFilter

      public CrossOriginFilter()

  • Method Details

    • init

      public void init(javax.servlet.FilterConfig config) throws javax.servlet.ServletException
      Specified by:
      init in interface javax.servlet.Filter
      Throws:
      javax.servlet.ServletException

    • doFilter

      public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException
      Specified by:
      doFilter in interface javax.servlet.Filter
      Throws:
      IOException
      javax.servlet.ServletException

    • isEnabled

      protected boolean isEnabled(javax.servlet.http.HttpServletRequest request)

    • destroy

      public void destroy()
      Specified by:
      destroy in interface javax.servlet.Filter